[00:28] <cole> anyone have a 10.10 box (physical) that would be willing to test a script for me on?
[02:16] <jdimatteo1> good evening
[02:18] <jdimatteo1> how can I configure nsswitch.conf to not timeout with the error "YPBINDPROC_DOMAIN: Domain not bound" before logging in as a local user on a client configured with NIS with no connection to the NIS server?  I'm trying to make logging in to a local user work without long timeouts when the connection is lost to the NIS server
[02:19] <jdimatteo1> the problem seems to be with the group line of nsswitch, group:   files nis
[02:19] <twb> jdimatteo1: not using NIS would be the most obvious way
[02:20] <twb> Listing files before nis SHOULD suffice to allow local users to log in prior to issuing nis requests.  pastebin your whole nsswitch.conf.
[02:20] <jdimatteo1> twb: thanks, but I want NIS to normally work.  I am trying to better handle the unusual case where the network connection is not working and someone needs to login as a local user (e.g. root needs to login to update the networking configuration).
[02:21] <jdimatteo1> twb: one sec regarding pastebin
[02:22] <twb> There are also a bunch of options you can put in [square brackets] in nsswitch.conf; I think they're documented in the libc or coreutils info pages...
[02:24] <jdimatteo1> http://pastebin.com/SAqs2uGq
[02:24] <jdimatteo1> twb: your help is greatly appreciated... this problem just drive me nuts
[02:25] <jdimatteo1> I'm reviewing man libc now
[02:27] <twb> jdimatteo1: ah, start with man nsswitch.conf
[02:28] <twb> Also, are you broadcasting for the YP server, or are you hard-coding its IP?
[02:29] <jdimatteo1> twb: I already read man nsswitch.conf.  from what I understand, [SUCCESS=return] should be the default anyway, and the other statuses (notfound, unavail, tryagain) don't seem any better
[02:31] <jdimatteo1> twb: I'm sorry, can you please explain what you mean by broadcasting?  I have the YP server hostnames set in /etc/yp.conf, and the ypserver IP addresses defined in /etc/hosts.  Maybe broadcasting is setup as well, but I'm not sure (I didn't originally configure this NIS configuration)...
[02:31] <jdimatteo1> twb: does that sufficiently answer your question about broadcasting?
[02:32] <twb> Hmm?
[02:32] <twb> I mean do you have "server 1.2.3.4" in /etc/yp.conf (IIRC)
[02:32] <jdimatteo1> yes, I do.  (specifically, I have http://pastebin.com/hi05CCRp)
[02:32] <twb> If you don't, IIRC it basically causes it to "ask around" (i.e. broadcast) to find a yp server, which probably takes a while
[02:33] <twb> You can also try turning off / removing nscd
[02:33] <twb> Also, if Network Manager is installed, get the fuck rid of it.  It causes more network problems than anything else short of a backhoe
[02:35] <jdimatteo1> twd: I'm not familiar with nscd, and I don't think it is installed on my system (e.g. "whereis nscd" shows no path)
[02:36] <jdimatteo1> twb: I think Network Manager is installed... I agree with you that it is annoying on a server, so I'm uninstalling it now to simplify things
[02:37] <twb> In 8.04, if you had NIS and NM installed the damn thing would take twenty minutes to netboot
[02:37] <twb> Er, to boot at all.
[02:37] <rdw200169> jdimatteo1: i agree, manual is much easier.  seems pointless to have any kind of NM on a server ;)
[02:37] <twb> rdw200169: NM is pointless everywhere
[02:38] <rdw200169> twb: double-agree
[02:38] <twb> double-plus-un-good!
[02:38] <jdimatteo1> :) something we all agree on, thats nice
[02:40] <rdw200169> i never thought it was that hard to understand /etc/networking/interfaces... but then again, i'm not normal i guess
[02:41] <twb> Normal users don't DESERVE computers
[02:41]  * twb is a sysadmin
[02:41] <Nafallo> you guys still use interfaces?
[02:41]  * Nafallo uses vtysh for that ;-)
[02:42] <twb> Nafallo: that's not in Debian.
[02:42] <jdimatteo1> twb: OMG, that fixed the issue :) now let me update my nsswitch to actually work for shadow too and see if it is completely solved
[02:42] <twb> jdimatteo1: fucking typical :-/
[02:44] <Nafallo> twb: quagga
[02:44] <twb> Oh, yeah, there it is in apt-file
[02:44] <twb> I haven't switched to IPv6 yet, so I haven't bothered.
[02:45] <Nafallo> neither have I
[02:45] <twb> I mean, it's not like I have an AS...
[02:45] <Nafallo> when I do add IPv6 I'll do dual-stacking though
[02:45] <Nafallo> I do :-P
[02:45] <twb> I did think about it, but I decided it wasn't worth the hassle just to improve multi-path routing to my office
[02:45] <jdimatteo1> twb: I really hardly believe that fixed it... but it really did...  seems unbelievable...
[02:46] <twb> I mean, most outages are caused by telstra not fixing their copper, which will fuck BOTH my ISPs.
[02:46] <twb> And of course we were talking about NIS clients, which tends to imply leaf nodes on the network, i.e. BGP is not relevant.  YMMV, etc.
[03:02] <_Neytiri_> can i get some help with ldap i am getting this error
[03:02] <_Neytiri_> root@Pandora-Eywa-DC1:~# ldapadd -x -W -D "cn=admin,dc=xray-hope,dc=local" -f ~/people_group.ldif
[03:02] <_Neytiri_> Enter LDAP Password:
[03:02] <_Neytiri_> ldap_bind: Invalid credentials (49)
[03:02] <_Neytiri_> root@Pandora-Eywa-DC1:~#
[03:02] <_Neytiri_> it never asked me to set a password when i set it up
[03:05] <jdimatteo1> twb: fyi, I must have been confused earlier because it turns out network-manager had nothing todo with the issue.  I really couldn't believe network-manager caused my NIS issue, so I reverted to saved snapshot of the system, updated the nsswitch file, and the yp timeout errors are no longer occurring... I guess it is getting too late for me, since I'm not sure why it is working now, but I just wanted to point out ne
[03:07] <jdimatteo1> goodnight all.  my problem is fixed and I have no idea why.  good enough for me
[03:15] <twb> jdimatteo1_afk: still there?
[03:15] <twb> jdimatteo1_afk: what VM technology are you using (e.g. KVM)?  Are you bridging the VMs to the main network, and are you using proxy arp?  IME VMs often have trouble with even simple things, like getting UDP to work reliably.
[03:18] <_Neytiri_> anyone here can tell mow how to get ldap working on ubuntu 10.4
[03:20] <c0nv1ct> _Neytiri_, set the password in slapd.conf
[03:20] <_Neytiri_> where do i find that file?
[03:20] <twb> _Neytiri_: client or server side?
[03:21] <_Neytiri_> serverside
[03:21] <c0nv1ct> _Neytiri_, /etc/ldap
[03:21] <_Neytiri_> slapd.cond doesent exist
[03:21] <c0nv1ct> you should know where to find that file since you need to edit it to setup your ldap server
[03:21] <_Neytiri_> .conf*
[03:22] <_Neytiri_> the only .conf file is a ldap.conf
[03:22] <c0nv1ct> look in there then, you should see lines for rootdn and rootpw
[03:22] <twb> _Neytiri_: is slapd installed?
[03:23] <_Neytiri_> twb, it should be i am following this tutorial http://www.debuntu.org/ldap-server-and-linux-ldap-clients
[03:24] <c0nv1ct> _Neytiri_, but you just said it never asked to setup a password
[03:24] <_Neytiri_> slapd is already the newest version.
[03:24] <_Neytiri_> it didnt
[03:24] <c0nv1ct> _Neytiri_, look at the 3rd step in the guide you just posted
[03:25] <_Neytiri_> did that it only asked 3 things
[03:25] <_Neytiri_> omit ldap config, pure db and allow ldapv2
[03:26] <c0nv1ct> if you didnt omit the ldap config, you should of been asked those other questions
[03:26] <c0nv1ct> should have*
[03:27] <_Neytiri_> i dinty omit it and it never asked me
[03:27] <_Neytiri_> didnt*
[03:31] <c0nv1ct> _Neytiri_, have you tried the guide for ldap in the ubuntu server guide?
[03:31] <c0nv1ct> the one i'm looking at looks nothing like that guide you posted
[03:31] <_Neytiri_> where do i find that?
[03:31] <c0nv1ct> doc.ubuntu.com
[03:32] <c0nv1ct> or help.ubuntu.com actually
[03:35] <_Neytiri_> i did a remove on everyting i installed from that tutorial and am working off of https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
[03:43] <_Neytiri_> where would i set the actual domin name?
[03:44] <twb> _Neytiri_: you mean the LDAP DN?
[03:44] <_Neytiri_> ya
[03:48] <twb> It's just the (root)binddn and rootbindpw in the LDAP client
[03:48] <twb> And the objects themselves in the LDAP server
[04:19] <overrider> Usually when i log into my Ubuntu 10.04 Server, at least every other day there is something for me to upgrade using apt-get upgrade. Since about 9 days, it always reports 0 packages can be updated.
[04:19] <overrider> This is on two different 10.04 Servers the same, can it be or is there something wrong?
[04:20] <twb> 10.04 has been released.
[04:20] <twb> That means the only updates for it are security updates
[04:21] <twb> It's actually bad that you were getting updates every other day -- it meant there were lots of vulnerabilities in the original 10.04 release
[04:21] <overrider> twb: so you mean i also will not receive updates to already installed packages should there be any?
[04:21] <twb> There are two kinds of updates
[04:21] <twb> SECURITY updates fix bugs.
[04:22] <twb> FEATURE updates introduce bugs.
[04:22] <twb> Released versions of Ubuntu only get the former.
[04:22] <overrider> What i am saying is, say Dovecot will release a new version of itself. Will that show up when i run apt-get upgrade?
[04:22] <twb> It will not.
[04:22] <overrider> Hmmmm
[04:23] <overrider> What if the update fixes a security hole?
[04:23] <twb> Then the security team will (usually) backport that security patch to the earlier version.
[04:23] <twb> There are exceptions to this, such as Mozilla products.
[04:24] <overrider> Sorry to be numb, somehow i feel nervous that nothing was there to update since days...
[04:24] <twb> overrider: but change is bad!
[04:24] <overrider> its 10.04 server lts, and runs apache, dovecot and postfix and the likes.
[04:24] <fij0> anybody has used kernel direct boot ?
[04:24] <overrider> twb: yeah sure, just wanted to make sure i still receive the security updates;
[04:24] <twb> fij0: never heard of it.
[04:25] <fij0> im trying but the VM donsent boot
[04:25] <fij0> twb, http://www.mail-archive.com/libvir-list@redhat.com/msg15128.html
[04:25] <twb> overrider: unfortunately I don't know a way to be confident about that; you could certainly check that -security is still listed in your sources.list, and that "apt-get update" works.
[04:25] <fij0> twb, you pass to the VM the kernel of the host .........basicaly
[04:26] <fij0> sorry mi inglish is realy poor
[04:26] <fij0> english
[04:26] <twb> I don't see how that could ever work
[04:26] <fij0> twb, libvirt support that - http://libvirt.org/formatdomain.html
[04:27] <fij0> twb, it is realy healfull with lvm , so you cant exec the VM in an lv in the host
[04:27] <fij0> like xen
[04:27] <twb> Surely it assumes that either you're running a module-less kernel, or that neither host nor guest EVER changes kernel
[04:27] <twb> Oh, I see what they're saying.
[04:28] <twb> They just mean the equivalent of qemu -kernel and -initrd -- as opposed to having a bootloader inside the virtual disk.
[04:28] <fij0> twb, yes
[04:28] <fij0> twb, work, im sure, but i cant doit :S
[04:28] <twb> I have done that before with qemu, a lot.  I haven't ever done it with libvirt
[04:29] <twb> All you do is copy the kernel and ramdisk out of the guest's /boot
[04:29] <twb> You probably shouldn't put the guest's kernel and ramdisk in the host's /boot, though
[04:30] <twb> In what way is it not working?
[04:33] <fij0> twb, when is booting , crash and say
[04:33] <fij0> boot args (cat /proc/cmdline)
[04:34] <fij0> check rootdelay= (did the system wait long enought?)
[04:34] <twb> OK, so it can't find the root filesystem.
[04:34] <fij0> twb, yes
[04:34] <twb> Please pastebin your libvirt config file (the XML file), and the full boot transcript.
[04:36] <fij0> twb, the xml - http://pastebin.com.ar/6320
[04:36] <twb> I don't think the &quot; should be there
[04:37] <fij0> twb, the /var/log/libvirt/qemu/base.log - http://pastebin.com.ar/6321
[04:37] <fij0> twb, what quote ?
[04:37] <twb> Oops, ignore that, it should be there.
[04:37] <twb> No, I change my mind again, it shouldn't :-)
[04:37] <twb> Inside <cmdline />, you have a " on each end.  Try removing it
[04:38] <twb> You can see those quotes aren't present in the CMDLINE example at http://libvirt.org/formatdomain.html#elementsOSKernel
[04:39] <fij0> twb, yes, i dont know why put that :S , anyway , i remove and happend the same thin
[04:42] <twb> OK, try specifying the root filesystem by device name instead of UUID
[04:42] <twb> Also, in the fallback initrd you get, try catting /proc/partitions
[04:42] <twb> And also in there, look at /dev/disk/by-*/
[04:43] <fij0> sorry but i dont understand
[04:44] <twb> After it talks about rootdelay, it should give you a busybox shell
[04:44] <fij0> twb, yes
[04:45] <twb> OK, in there, run "cat /proc/partitions"
[04:47] <fij0> 252 0 4194304 vda
[04:47] <twb> OK, so try root=/dev/vda instead of root=UUID=...
[04:48] <fij0> something like this ?     <cmdline>root=/dev/vda ro</cmdline>
[04:49] <fij0> twb, it work !!! thanks a lot !
[04:50] <DanInOz> hey sorry for the noob question, i jsut did a fresh install of 10.10 server and i accidently mistyped the proxy server on the installation. How do I reenter the corrent info?
[04:51] <twb> OK.  Either you got the UUID wrong, or you can't rely on udev UUID/NAME labelling.
[04:51] <twb> fij0: because it's a VM, it should be pretty safe to just use root=/dev/vda forevery
[04:51] <twb> *forever
[04:51] <twb> DanInOz: when it fails, hit "back" or "reconfigure" or whatever the option is
[04:51] <DanInOz> i've already completed the install
[04:52] <twb> DanInOz: oh, then go to /etc/apt/apt.conf
[04:52] <DanInOz> yeap, changed that. still uses old setting for some reason
[04:52] <twb> That shouldn't happen.
[04:52] <DanInOz> i'll just
[04:52] <twb> what is the value of $http_proxy?
[04:52] <DanInOz> double check it quick but
[04:52] <DanInOz> i dunno how to change that ><
[04:52] <twb> DanInOz: you don't know how to change what?
[04:52] <DanInOz> like i said, i a a noob haha
[04:53] <DanInOz> system variables
[04:53] <twb> I don't know what you mean by "system variables"
[04:53] <DanInOz> sorry i been reading articles off google trying to fix it I could completely have my wires crossed
[04:54] <DanInOz> ok i checked apt.conf and it has defiantly saved the change i made
[04:54] <DanInOz> apt still is trying to use the first value though
[04:54] <twb> Then check the environment variable $http_proxy.
[04:55] <DanInOz> how do i do that?
[04:55] <twb> echo $http_proxy
[04:56] <DanInOz> it just comes up blank
[04:56] <twb> Then I don't know where you're getting the "wrong" proxy value from.
[04:56] <twb> Hm, I suppose you should also check /etc/apt/apt.conf.d/*, but I'm not aware of the installer touching that.
[04:56] <DanInOz> ok i will look
[04:56] <twb> Also, I'm assuming you're using either "sudo apt-get" or "sudo aptitude"; if you're using something like synaptic, I can't help you.
[04:57] <twb> If all else fails, you can try grepping recursively over /etc for the bad proxy string.
[04:58] <DanInOz> ok thank you :) i'll try those things
[04:58] <DanInOz> thanks for your patiance!
[05:17]  * pennyless is away: Gone away for now
[06:47] <eagles0513875> hey guys i have a quick question for anyone. does it matter waht order i configure dovecot + postfix?
[06:47] <twb> I shouldn't think so, but I haven't done it.
[06:49] <eagles0513875> ok :-/
[06:50] <eagles0513875> prior install i was able to get all incoming email then  no outgoing then at a point i couldnt get incoming emails either
[06:50] <twb> That was weird.  I just noticed that all my alternatives-managed files in /usr/bin weren't symlinks.
[06:53] <eagles0513875> O_o
[06:53] <eagles0513875> im apprehensive to follow the setup guides for dovecot and postfix again
[06:53] <eagles0513875> to end up with the same result as before :(
[06:53] <twb> eagles0513875: so go through your /etc history to find out what changed?
[06:54] <eagles0513875> already purged and reinstalled just havent configured yet
[06:55] <eagles0513875> atm not sure what would be worse having postfix not working right or having to deal with a microsoft exchange server
[07:02] <eagles0513875> hey twb
[07:03] <eagles0513875> im wondering if the issues i was having could be dovecot related
[07:03] <eagles0513875> dovecot in lucid is old stable version 1.1.2
[07:03] <eagles0513875> lates is 2.0.6
[07:13] <eagles0513875> hehe ^^ i reported that
[07:13] <eagles0513875> any email experts in here this morning?
[07:14] <_ruben> try asking more specific questions instead
[07:15] <twb> _ruben: I'm ignoring him, FWIW
[07:15] <eagles0513875> _ruben: my question is doesnt it matter what order i confgure postfix or dovecot
[07:17] <_ruben> it doesnt, you should "glue 'em together" yourself anyway
[07:18] <eagles0513875> ok
[07:18] <eagles0513875> interesting
[07:18] <eagles0513875> thanks
[07:20] <lifeless> .win 67
[07:21] <eagles0513875> ?
[07:23] <kaushal> hi
[07:23] <kaushal> I have been facing issue about collectd MySQL Plugin for configuring Multiple DB,It defaults to root user inspite of other user being hard coded in the config,Please advice
[07:23] <kaushal> I am using collectd 4.10.1
[07:28] <noaXess> good morning
[07:28] <noaXess> have a 8.10 installation.. and saw now, that there are no updates..
[07:29] <noaXess> can't make updates now, cause on http://ch.archive.ubuntu.com/ubuntu/dists/ there is no intrepid ... grrr
[07:33] <twb> Isn't 8.10 EOLd by now?
[07:34] <twb> noaXess: you should probably upgrade to a release that's still supported, see https://help.ubuntu.com/community/UpgradeNotes
[07:34] <eagles0513875> i think it is twb
[07:35] <noaXess> twb: EOL i think yes.. but don't i need first update to the latest packages on 8.10?
[07:35] <kaushal> noaXess: https://wiki.ubuntu.com/Releases
[07:35] <twb> noaXess: I don't know; read the notes I linked to
[07:35] <noaXess> ok
[07:43] <kaushal> Can some one please help me about my query ?
[07:44] <twb> Sorry, MySQL is boring
[07:44] <kaushal> i see
[07:44] <kaushal> what makes you say so
[07:48] <twb> Because it's not very good at being a real database (cf. postgres), and it's not very good at being an easy-to-use, lightweight toy database (cf. sqlite).
[07:49] <twb> Which is the position of every DBA I've ever met; the only people that like it are PHP users, which is kind of an anti-recommendation.
[07:59] <owh> kaushal: What do you mean when you say hard-coded in the config?
[08:01] <kaushal> owh: shall i pastebin the collectd.conf ?
[08:01] <owh> No.
[08:01] <kaushal> when i run the mysql command i am able to connect
[08:02] <owh> So, what is the actual problem?
[08:02] <kaushal> whereas when i use collectd, it maps to root@localhost by default
[08:02] <kaushal> inspite of setting user other than root user
[08:03] <kaushal> I could see in the collectd debug log
[08:03] <twb> IIRC mysql has some broken thing where referring to either "localhost" or "127.0.0.1" actually makes it use a socket instead of a port
[08:04] <owh> Not having ever used collectd, I suspect you might have a syntax error in your config. Can you increase the vebosity? Did you reload/restart collectd after updating the config?
[08:04] <owh> twb: You appear to be referring to a network/non-network connection parameter which changed default behaviour for security purposes in v4 of MySQL.I don't think it's relevant.
[08:08] <twb> OK, that was just a shot in the dark
[08:08] <twb> The last couple of times someone was in here, that turned out to be the problem
[08:09] <owh> The problem being described appears to be an authentication issue.
[08:10] <owh> twb: If you make a shot in the dark, that's fine, but it would be smart to let your audience know that it's a shot in the dark. There's nothing wrong with firing off ideas, but you need to provide some context since not everyone knows everyone in this place.
[08:10] <twb> sorry
[08:12] <owh> BRB
[08:16] <kaushal> I have increased the verbosity
[08:16] <kaushal> to debug
[08:16] <kaushal> it still not worked
[08:17] <kaushal> [2010-11-03 01:17:26] mysql_real_connect failed: Access denied for user 'root'@'localhost' (using password: NO)
[08:17] <kaushal> [2010-11-03 01:17:26] read-function of plugin `mysql' failed. Will suspend it for 10 seconds.
[08:17] <kaushal> i get that error
[08:18] <twb> kaushal: that's from collectd's log?
[08:19] <kaushal> yes
[08:19] <kaushal> http://pastebin.ubuntu.com/524931/
[08:21] <twb> kaushal: that doesn't look like root@localhost
[08:22] <owh> kaushal: Is that the complete configuration file for collectd?
[08:22] <kaushal> owh: nope
[08:22] <owh> Does mysql have a nagios user?
[08:22] <kaushal> yes
[08:22] <kaushal> Let me pastebin it again
[08:23] <owh> Did you reload privileges?
[08:23] <kaushal> http://pastebin.ubuntu.com/524934/
[08:23] <kaushal> that will explain the details
[08:24] <owh> It is possible/probable that you have a syntax error in your config, or that collectd doesn't use the credentials the way you expect.
[08:25] <kaushal> Do you want me to pastebin the collectd.conf ?
[08:25] <owh> Is there an /etc/default/collectd file which perhaps overrides stuff?
[08:26] <kaushal> I have compiled collectd from source
[08:26] <kaushal> I am using collectd 4.10.1
[08:26] <owh> Well, at that point you lost all support really. Is there not a ubuntu packaged version?
[08:27] <kaushal> ok
[08:27] <kaushal> but it does not support multiple instances
[08:27] <kaushal> I am using 8.04
[08:27] <owh> The reason I say that is because when you use a ubuntu package, things are stored in certain places and people like me expect things to be in those places.
[08:28] <kaushal> ok
[08:28] <owh> Is multiple instances support a compile option?
[08:28] <kaushal> nope
[08:28] <owh> So, you hacked it?
[08:28] <kaushal> http://collectd.org/wiki/index.php/Plugin:MySQL
[08:30] <owh> Let me get this straight. You're just trying to collect stats from mysql?
[08:32] <owh> Does it work for one database?
[08:33] <kaushal> yes
[08:35] <owh> Why are you then showing a different socket?
[08:43] <kaushal> It has been configured like that
[08:43] <owh> A different socket for a different database?
[08:44] <kaushal> yes
[08:44] <owh> What happens if you create two plugin sections, rather than two database sections in the same plugin section?
[08:47] <kaushal> ok
[08:47] <kaushal> owh: Let me try it out
[08:48] <kaushal> Thanks for the hint
[08:48] <kaushal> will update you now
[08:49] <kaushal> still the same
[08:50] <owh> So, why are you doing this with two different sockets again?
[08:51] <kaushal> Its multiple MySQL Instances
[08:52] <owh> I think you're going to have to ask the collectd developers about this one.
[08:52] <kaushal> ok
[08:52] <kaushal> owh: i can pastebin the collectd.conf
[08:53] <owh> As I said before, I'm not a user of collectd. I'm asking silly questions to get you to say :"Doh, aha!"
[08:57] <jmazaredo> i will be installing bacula but it ask me to use dbconfig-common will this erase my other databases?
[08:57] <kaushal> owh: Thanks for the support
[08:57] <kaushal> np
[08:58] <owh> kaushal: Not that we got to an answer, but sometimes that happens :)
[08:58] <kaushal> yes an attempt is crucial in life
[08:58] <kaushal> isnt it
[08:58] <kaushal> Thats much appreciated
[08:58] <owh> Yup
[08:59] <kaushal> owh: the irony is that no one responds on #collectd
[08:59] <kaushal> I have been following it rigorously
[08:59] <kaushal> for quite some time
[08:59] <owh> I'd see if there is a mailing list and send an email there.
[09:00] <kaushal> I have tested it with the older version too and then i used the latest under the impression that it would be working fine
[09:00] <kaushal> but it did not worked either
[09:00] <Callum__> ugh, postfix doesn't want to work with clamav-milter at all
[09:01] <Callum__> give it the right name for the socket = still says socket file doesn't exist, even though it does and clamav-milter is running
[09:03] <Callum__> postfix/smtpd[8781]: warning: connect to Milter service unix:/var/run/clamav/clamav-milter.ctl: No such file or directory
[09:03] <Callum__> definitely does exist, and is a valid socket
[09:09] <twb> Grumble
[09:10] <twb> I get annoyed every time I see clamav on a server, using up all the free CPU and memory
[09:10] <twb> I think "if they didn't have Windows desktops, I could get rid of this stupid scanner"
[09:34] <Callum__> twb: our business itself doesn't have any Windows machines, but all of our staff do at home so yeah its required
[09:34] <twb> Stupid staff
[09:34] <twb> I jump on their heads!
[09:35] <Callum__> it frustrates me how little about computers they know >_>
[09:35] <Callum__> but we don't pay them haha we're a non-profit organisation of course
[09:36] <twb> They should need a license to use them
[09:36] <twb> like automobiles and forklifts and handgus
[09:37] <twb> *handguns
[09:39] <Callum__> heh
[09:59] <evelyette> hey: I'm having problems with: https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html does anyone care to help ?
[10:05] <twb> evelyette: you need to describe the problem first.
[10:12] <dubphil> Hello
[10:23] <evelyette> twb, hi
[10:23] <evelyette> well the problem is with step 5: the command I try to issue says: ldap_bind: Invalid credentials (49)
[10:23] <evelyette> it's  because I don't have cn=admin,cn=config
[10:24] <twb> Are you on 10.04?
[10:24] <evelyette> 10.10
[10:24] <evelyette> twb, ^
[10:24] <twb> Then why aren't you reading the 10.10 server guide?
[10:25] <evelyette> does it exist?
[10:25] <evelyette> well it should be the same ...
[10:25] <twb> TIAS
[10:26] <evelyette> yes it's the same
[10:26] <evelyette> so, do you have any idea why that happens
[10:26] <evelyette> because I've read this: http://www.openldap.org/doc/admin24/slapdconf2.html and there's no mentioning of "cn=admin,cn=config"
[10:26] <evelyette> so why should that even be there?
[10:28] <twb> IIRC cn=admin,cn=config is where Ubuntu moved the database config from slapd.conf into the database itself
[10:28] <twb> I've only dealt with slapd on 8.04, so I don't know much about it
[10:29] <evelyette> no it's the cn=config ...
[10:29] <evelyette> not the cn=admin,cn=config
[10:29] <evelyette> http://www.openldap.org/doc/admin24/config_dit.png
[10:29] <evelyette> there's cn=module,cn=config and cn=schema,cn=config. ...
[10:29] <evelyette> but no cn=admin,cn=config
[10:35] <twb> Dunno, man
[10:46] <rdw200169> i hated it when they moved to cn=config
[10:53] <twb> I hated pretty much every change from 8.04 to 10.04
[10:53] <twb> If joeyh's cuts get off the ground, I will just switch to it and tell the customers I'm running the "reliable" version of ubuntu
[10:54] <twb> The only reason I adopted ubuntu was because of the "when it's NOT ready" release schedule
[11:00] <ScottK> twb: Take a look at what's in Debian and not of the security hardening features in Ubuntu first.
[11:01] <ScottK> w.u.c/Security/Features IIRC
[11:01] <twb> Yeah, you have a point there
[11:01] <twb> Poor kees, he tries so hard to get traction there
[11:02] <twb> I just get so angry when simple stuff like booting from NFS doesn't work in an LTS release because of cyclic dependencies in the upstart jobs
[11:09] <kinygos> hi...what is a good program to pipe log files to on my ubuntu server?  primarily i'd like to feed it logs from apache2 and postgres8.4, and would like the rolled every 24 hours
[11:10] <qman__> kinygos, this is done by default, though the rotation is usually longer than 24 hours
[11:11] <kinygos> bugger...it's always the way, i've literally just found an article on LinuxLogFiles on ubunt.com (sorry about that)
[11:12] <kinygos> qman__: thanks for that...i'll check what's going on in my server at the moment :)
[11:13] <twb> kinygos: what you pipe them into really depends on what you're trying to achieve
[11:14] <twb> e.g. logcheck and denyhosts both work by reading logfiles, but they do different things
[11:22] <ScottK> twb: It's clear that the boot work in the last LTS was not well considered for the server use case.  That's unfortunate, but I suspect a one off occurrence.  If you have suggestions on how to fix it, I'm sure if it's not too invasive, they'd be open for changes.
[11:23] <kinygos> twb: very good point...thanks :)
[11:24] <Cope> hey
[11:24] <twb> ScottK: I realize that specific case was a one-off, but there seem to be a lot of one-offs for server users
[11:24] <Cope> trying to debootstrap a lucid image for uploading to ec2 as an ami
[11:24] <Cope> do I need to install the ec2 kernel?
[11:25] <Cope> in the chroot?
[11:25] <twb> About the worst thing Debian did to me was the motd fuckup
[11:25] <ScottK> twb: I think NFS is sufficiently non-obscure that there would be interest in getting it fixed.  A large problem is that most server people don't test pre-release.
[11:25] <twb> Nod.
[11:26] <twb> I tested 8.04 pretty extensively, but IIRC timing of 10.04 didn't tie in with the contracts I was working late 09 / early 10
[11:27] <twb> (i.e. I wasn't paid to start developing until June, and that was only because we discovered without warning that 8.04 didn't work with the Atom D510's GPU.)
[11:27] <Cope> any thoughts on the ami / ec2 kernel?
[11:28] <Hatrix|away> I  was used to the IOSTAT command and at some debian installations the iostat utility give ma all information in one line, as in (vmstat 1) ... but now on lucid iostat gives me statistics vertically, it's so hard to read changes if you do a iostat 1 ... is there a way to change the format to be on one line again? I did not find anything in the man pages .... or is this a new iostat?
[11:30] <twb> Hatrix|away: I've never seen a one-line iostat in linux.
[11:30] <Hatrix|away> twb: what is joeyh's cuts?
[11:31] <twb> Hatrix|away: Joey Hess is talking about making time-based snapshots of Sid, called "cuts"
[11:31] <Hatrix|away> twb: hmm, and for what reason, is this ubuntu related or debian related?
[11:31] <twb> ref http://kitenet.net/~joey/code/debian/cut/
[11:32] <twb> Hatrix|away: I don't understand the question.
[11:33] <twb> Hatrix|away: did you mean iostat output like this?  http://paste.debian.net/98916/
[11:33] <Hatrix|away> twb: yes, exactly
[11:33] <twb> That's OpenBSD.
[11:33] <twb> on linux, it looks like this: http://paste.debian.net/98917/
[11:34] <twb> (And that's FC3, so it has been like that for a while.)
[11:34] <Hatrix|away> well, i have it on a debian machine, and was used to it, but all ubuntu machines i have have the long output
[11:35] <Hatrix|away> twb: like here: http://inetpro.org/pastebin/10475
[11:36] <Hatrix|away> this is a debian 5.0.3
[11:36] <twb> I don't know how you got that.  Try looking at the manpage.
[11:36] <kinygos> omg....i've just looked in /var/log/auth.log for sshd logins, and it's packed with failed attempts from ip addresses i've not seen!!!  am i being naive??
[11:36] <Hatrix|away> I did, I am not a linux newbie ... but I did not find out anything
[11:37] <Hatrix|away> kinygos: haha, yes, for years i put my ssh logins to different ports (like, bigger 32000), that will not stop a determined person, but stops all those script kiddys and bot-net attacks
[11:37] <qman__> any SSH server listening on the default port will get hit
[11:38] <qman__> there are many ways to protect yourself
[11:38] <kinygos> wow...i think changing port is the first thing to do
[11:38] <qman__> changing ports can be very inconvenient, and isn't the only way
[11:38] <Hatrix|away> twb: ah, please forgive me, I never check the path of this iostat, it's a selfcompiled one from http://linux.inet.hr .... seems the prior admin loved the iostat onliner from bsd that much :-) haha, and I was searching my ASS off in the man pages
[11:38] <qman__> limiting firewalls and fail2ban will also negate these attacks
[11:39] <c0nv1ct> i'm a big fan of port knocking for ssh access
[11:39] <twb> c0nv1ct: with -m pknock, or do you use some lame-ass userland implementation?
[11:39] <Hatrix|away> qman__: yes, and that's why I said that I do it this way, of course there are million different ways, i like the port knockers though, but to much trouble for me
[11:39] <c0nv1ct> twb, lame-ass userland that works fine for me
[11:39] <twb> Bah.
[11:40] <twb> If anyone has a working -m hashlimit / -m recent implementation, let me know.
[11:40] <c0nv1ct> twb, what advantages does -m pknock give?
[11:40] <qman__> I use a -m recent
[11:40] <twb> I can get -m recent working, but -m hashlimit just sits on its ass matching every / no packet.
[11:40] <twb> c0nv1ct: it's in-kernel, so it'll still work when parts of your userland flake out.
[11:41] <twb> And obviously it means a purely declarative iptables-restore ruleset.
[11:41] <c0nv1ct> i thought userland knockd just relied on iptables
[11:41] <twb> The latter is less of an issue if your userland implementation is ipset(8)-based
[11:42] <twb> c0nv1ct: anything that calls iptables(8) directly is basically wrong and vulnerable to race conditions
[11:43] <soren> twb: How do you figure that?
[11:43] <twb> soren: based on the advice of the good folk of #netfilter, i.e. the guys who make iptables
[11:43] <soren> twb: What would you use instead?
[11:43] <twb> But also because I've *experienced* race conditions from scripts that weren't iptables-restore(8) based.
[11:44] <soren> Oh.
[11:44] <soren> iptables-restore is atomic?
 Hey I just restarted the server and the network isn't working so good. <me> hm, looks like you have four copies of most rules because all four ports on the NIC triggered the load-firewall script in your post-up.d
[11:44] <twb> soren: it's atomic at the table level
[11:45] <twb> i.e. it doesn't load -t nat and -t filter together, but everything in -t filter is an atom
[11:45] <soren> Cool.
[11:45] <twb> ufw uses iptables-restore, too, but in a slightly funny way
[11:45]  * soren never realised
[11:46] <c0nv1ct> what does shorewall use? i've started playing with it here a few days ago
[11:46] <twb> soren: part of the problem is that the kernel api for iptables is actually atomic at the table level no matter what you do
[11:46] <twb> soren: so iptables -A is actually dumping the entire filter table, making a change, then restoring the whole table again
[11:46] <soren> twb: "clever"
[11:46] <twb> Which is OK if you're playing around, but a script shouldn't be doing it.
[11:47] <twb> c0nv1ct: shorewall's latest major release (4.x?) is iptables-restore oriented
[11:49] <_ruben> switching from iptables to iptables-restore was quite noticeable for us .. firewall reloads went from 1-2minutes to a few seconds tops
[11:51] <kinygos> naive question: i only have a dedicated server in the data-centre, no firewall that i can play with...would installing a firewall daemon on my server have a significant impact on performance?
[11:51] <twb> Plus it's a lot sexier
[11:51] <twb> #!/usr/sbin/iptables-restore -v FTW
[11:51] <twb> None of this <<EOF crap
[11:51] <twb> Just have udev give your interfaces logical names.
[11:56]  * kinygos feels foolish having just read a bit about ufw
[11:59] <twb> kinygos: Linux implements the (layer 3) firewall in-kernel; it isn't a daemon.
[11:59] <twb> Anything you see claiming to be "a firewall" (e.g. ufw, shorewall) is actually just a wrapper around the netfilter/iptables stack, intended to make it easier to use.
[12:01] <kinygos> twb: the last 20 minutes of dialog here have scared me...am i right in thinking that i should at the very least enable ufw on my server? then look at pknock?
[12:02] <twb> ufw is a reasonable choice if you only need tcpwrappers-level flexibility
[12:02]  * kinygos is a developer, not a systadmin...but he's on his own
[12:02] <twb> i.e. deny all, but allow port X to/from hosts Y and Z
[12:02] <c0nv1ct> i'm having a hell of a time finding info on pknock
[12:02] <twb> c0nv1ct: it's part of xtables
[12:02] <c0nv1ct> twb, is it main line or do i need patches?
[12:02] <twb> Unfortunately it's currently not mainline :-(
[12:03] <c0nv1ct> i just skimmed through the netfilter section of my kernel config and didnt see it, so i wondered
[12:03] <twb> AIUI xtables is the module that provides all the bits the netfilter guys think are cool, but haven't put into mainline yet
[12:03] <twb> it used to be called patch-o-matic IIRC
[12:04] <c0nv1ct> thx
[12:05] <kinygos> twb: just to be sure i understood correctly...ufw is enough if i only want to allow the world to connect on ports 80 and 443, but only my machines to connect on 22?
[12:06] <twb> kinygos: ufw suffices for that
[12:06] <kinygos> twb: awesome, thank you very much for your time and consideration :)
[12:06] <twb> It's something like (from memory), "ufw enable; ufw allow http; ufw allow https; ufw allow ssh from 192.168/16"
[12:08] <kinygos> rofl....i was about to enable ufw over my ssh connection !!!  i only have remote access lol
[12:08] <kinygos> praise the developer that coded the warning...i could've lost my server completely
[12:09] <twb> If it has any brains it'll (essentially) be connection-oriented, meaning that most of the time you have to hang up ssh to REALLY shoot yourself in the foot
[12:10] <c0nv1ct> kinygos, lol, that is one reason i liked `shorewall try`
[12:12] <kinygos> i actually have to think about this carefully...i don't have direct access to this server...if my local ISP decides to change my ip address (i'm on a home broadband setup), i'll be buggered completely
[12:14] <kinygos> is it possible to configure my ubuntu-server to boot up with ufw disabled?
[12:14] <twb> c0nv1ct: iptables-apply ?
[12:14] <twb> Personally I don't like it because it was written by some ubuntu schmuck, yet it's shipped by upstream with all the upstart references intact...
[12:16] <twb> Hm, my mistake.  It's restarting fail2ban, not upstart.
[12:17] <twb> Hm, is it just me, or does it confuse exit(126) and exit(127)?
[12:17] <kinygos> rephrase my question: is it possible to have my server boot up without a certain rule enabled?
[12:17] <twb> It's just me.
[12:17] <twb> kinygos: anything is possible
[12:18] <twb> AFAIK ufw is designed to be all-of-nothing.  You give it a ruleset (via "ufw allow" and "ufw deny"), then tell it to be on or off.
[12:19] <kinygos> twb: so i could potentially turn off the rule relating to ssh on reboot in a start-up script
[12:19] <twb> That would be a little weird
[12:20] <twb> kinygos: what are you really trying to achieve?
[12:20] <c0nv1ct> kinygos, can you have the server rebooted without remote access?
[12:20] <kinygos> twb: i have no control over the ip address i'm assigned locally by my ISP.  if i restrict ssh access to my ip address, i could lose ssh access to my remote server
[12:20] <kinygos> c0nv1ct: yes, i have a lights-out board
[12:20] <c0nv1ct> kinygos, because you could just have a reasonable delay before the firewall is enabled
[12:21] <twb> kinygos: just restrict it to your ISP's /12, and ensure that password-based access is disabled?
[12:21] <c0nv1ct> that would limit the vulnerability but still leave you an emergency out
[12:21] <twb> Or you could simply block everything except, say, alioth.debian.org, and then always ssh into your server via alioth
[12:22] <twb> (Where alioth is some well-known host that isn't actually alioth, because I don't want the alioth admins to come around and break my fingers.)
[12:23] <kinygos> twb: lol...i was wondering :)
[12:23] <patdk-wk> why not just use port knocking?
[12:23] <c0nv1ct> patdk-wk, twb scared us all away from userspace port knocking
[12:23] <kinygos> c0nv1ct: i like the idea of a delay
[12:23] <patdk-wk> userspace?
[12:24] <patdk-wk> dunno, only used it in the kernel
[12:24] <c0nv1ct> as in knockd
[12:24] <patdk-wk> na, iptables can do it all by itself
[12:24] <twb> What I'd *really* like is just to have exponential backoff in the sshd itself
[12:24] <twb> But the OpenBSD guys won't accept the patch "because it'd make logins slower"
[12:24] <twb> Well, duh!  That's the point!
[12:25] <twb> c0nv1ct: xtables has -j TARPIT, too
[12:26] <jpds> I wish iptables had TARPIT.
[12:26] <twb> jpds: m-a a-i xtables-addons, iptables -A INPUT -j TARPIT
[12:26] <kinygos> twb: that is such a blindingly obvious solution
[12:27] <jpds> twb: Is the patch maintained though?
[12:27] <twb> I don't remember the precise invocation because I'm not putting cc on my bastion router
[12:27] <twb> jpds: AFAIK it's the same guys that maintain the rest of netfilter
[12:29] <patdk-wk> heh port knocking is supported without xtables, all you need is the recent module, and that is on my 8.04 install
[12:29] <patdk-wk> example: http://www.shorewall.net/PortKnocking.html
[12:30] <patdk-wk> shows pretty much the raw iptables lines
[12:31] <twb> That's not a knock sequence
[12:31] <twb> That's just one knock
[12:32] <twb> To do a proper sequence of, say, four ports, you'd need four different -m recent --name's
[12:32] <jpds> twb: http://pastebin.ubuntu.com/525018/
[12:32] <patdk-wk> heh?
[12:32] <twb> jpds: er, .35?  Are you running a non-LTS release?
[12:33] <jpds> Maverick on the laptop. :)
[12:33] <twb> Humph
[12:33] <twb> But yeah, I'd talk to #netfilter about that.  I'm just a user
[12:41] <twb> jpds: FWIW, compiled perfectly against debian's 2.6.32-5-amd64
[12:41] <jpds> Yeah, I don't have a box I can test it on at the moment.
[12:51] <Dark-Sun> hi every1
[12:54] <Dark-Sun> i have a firewall web panel, it uses perl and works with iptables. i was wondering if is it safe to run the perl script as a daemon using init scripts or not? (web server is apache, server ubuntu 10.04 lts)
[12:56] <twb> Dark-Sun: that really depends on what the code actually does
[12:57] <Dark-Sun> twb: not a big deal, reads a text file (iptables's parameters), executes iptables based on that once a while.
[12:57] <twb> Ah, I see you weren't around for the recent iptables discussion
[12:57] <twb> I'll /msg you a transcript.
[12:57] <Dark-Sun> twb: no
[12:57] <dubphil> Dark-Sun : why the hell using perl for this ?
[12:58] <_ruben> hm, backporting haproxy from maverick to hardy aint gonna be trivial
[13:00] <Dark-Sun> dubphil: it was an exercise for the collage. guess it's too bad in the real world, isn't it?
[13:01] <dubphil> Dark-sun the straighter is the safer
[13:01] <Dark-Sun> twb: what's wrong with iptables?
[13:02] <Dark-Sun> dubphil: and what do u mean by "straighter"? shell script?
[13:03] <dubphil> Dark-Sun: yes of course, stacking block is the way to introduce security holes
[13:04] <RoyK> dubphil: perl is pretty safe, you know, even if you like it or not
[13:04] <Dark-Sun> dubphil: that's right. but market demand is on GUIs.
[13:05] <dubphil> RoyK: yes but security depends on the way you code not on the language itself
[13:06] <ScottK> Right.  It's possible to write php in almost any language if you work at it.
[13:06] <Dark-Sun> agree. my code isn't safe at all! :( i'm on to secure it.
[13:07] <Dark-Sun> guys, please, now i may add it to init scripts beside apache ro i should take care of it?
[13:09] <dubphil> giving apache the ability to start or stop the firewall, great !
[13:09] <RoyK> dubphil: indeed
[13:09] <Dark-Sun> dubphil: oh, hell no! apache can't do anything to the script.
[13:10] <Dark-Sun> script should being run as root.
[13:10] <dubphil> Dark-Sun: sorry I didnot understand what you ment before then
[13:11] <Dark-Sun> dubphil: np, i was just talking about execution at the startup before any user does login.
[13:12] <ivoks> ttx: how's your new position? :)
[13:12] <Dark-Sun> if i add it to rc.local it would be like that, right?
[13:12] <ttx> ivoks: so far, not very different :)
[13:12] <ivoks> :)
[13:13] <dubphil> Dark-Sun: you can tweak this by giving a priority
[13:13] <Dark-Sun> dubphil: humm.. and how may i do it?
[13:13] <dubphil> man update-rc.d
[13:14] <Dark-Sun> dubphil: that's what i call a real nice answer. thanks dude ;)
[13:14] <dubphil> look at the NN or SS and KK
[13:23] <dubphil> anyone using logcheck here ?
[13:23] <twb> dubphil: I am.
[13:23] <twb> What's your real question?
[13:26] <dubphil> twb: I have put this in my ignore.d.server/local file : ^\w{3} [ :0-9]{11} hostname fetchmail\[[0-9]+\]: Query status=3 (AUTHFAIL) and it is always in my logs reported by logcheck, any idea why it is not taking in account ?
[13:26] <twb> dubphil: did you follow the logcheck documentation for creating new entries?
[13:27] <twb> dubphil: In particular, using egrep to test it, and the difference between normal and security local overrides?
[13:28] <\sh> hmmm..does someone run couchdb behind an apache reverse proxy ? I see some very strange things happening with futon but no error in logfiles...
[13:28] <dubphil> twb: perhaps not so, but because I had some other regex that where working I didnot understand why this one wouldn't
[13:29] <dubphil> so I will check the doc
[13:29] <twb> dubphil: I suspect because it has AUTH in it, you need to whitelist it in the security area
[13:30] <twb> Er, s/security/violations/
[13:31] <dubphil> twb: ok I did it in ignore.d.paranoid without much success, ok I test it in violations.ignore.d
[13:36] <twb> The other way, of course, is to actually fix the software so it doesn't generate that error
[13:37] <hackeron> hey, I have a /var/crash/linux-image-2.6.32-24-generic.0.crash - how do I get a traceback out of this file?
[13:38] <dubphil> twb: I use fetchmail to retrieve all my emails from the junk isps so their mailserver are not so reliable
[13:41] <twb> Dammit.  I just stepped through pbuilder --create --distribution, only to realize I forgot --architecture i386.
[13:43] <dubphil> twb: arf how long it takes ?
[13:43] <twb> maybe twenty minutes
[13:48] <hackeron> anyone? I have a /var/crash/linux-image-2.6.32-24-generic.0.crash - how do I get a traceback out of this file?
[13:51] <dubphil> hackeron: how did you get this file ?
[13:52] <hackeron> dubphil: apt-get install linux-crashdump and wait for it to crash (which I assume is caused by the dvr card)
[13:53] <jdstrand> twb: fyi, ufw upstream does not install an upstart job, or a sysv initscript for that matter. it states in the README that if installing from source you have to figure out how to integrate it into your system. it does ship an example upstart job and initscript
[13:53] <twb> jdstrand: re upstart & upstart, I was talking about iptables-apply
[13:53] <jdstrand> ah
[13:54] <twb> But it actually restarts fail2ban, via init.d
[13:54] <jdstrand> missed the context from backscroll
[13:56] <twb> jpds: GODDAMMIT, you're right, xtables-addons doesn't build for me on lucid.  Stupid ubuntu
[13:58] <jpds> twb: Built for me on a virtual machine.
[13:59] <rdw200169> who needs ufw anyway? this is -server we're doing here, not some easy-fied user stuff, why not just learn iptables... its not much different
[13:59] <jpds> (Lucid one that is).
[13:59] <twb> Hm, it seems to be getting pissed because the host arch is amd64, but the chroot is i386
[14:00] <hackeron> dubphil: https://wiki.ubuntu.com/Kernel/CrashdumpRecipe says to do apport-retrace --stdout --rebuild-package-info /var/crash/linux-image-2.6.32-24-generic.0.crash but I just get IndexError: list index out of range
[14:01] <dubphil> hackeron: sorry I will not be of help on this anyone to help hackeron ?
[14:07] <twb> http://pastebin.com/nafC2C4Z is what I'm getting
[14:15] <twb> Ah, the trick is to run "linux32 m-a ..." instead of just "m-a ..."
[14:31] <hallyn> jdstrand: libvirt compiled locally, but not in my ppa, so i guess hold off on that merge request for a bit :(
[14:33] <soren> twb: Yeah, the kernel build is kinda picky with the personality.
[14:33] <twb> Heh, shows how dumb I am -- I hadn't even noticed -j TARPIT needed -p tcp
[14:39] <jdstrand> hallyn: ok
[14:43] <patdk-wk> twb, your just funny :) you can't tarpit udp :)
[14:45] <twb> patdk-wk: or, say, -p ah
[14:46] <patdk-wk> ok, none-window-based-protocols :)
[14:51] <twb> Actually only -p 6 is supported at this time
[14:51] <twb> Others may be theoretically possible, of course
[14:51] <twb> (Patches welcome, I expect.)
[14:51] <ScottK> kirkland: RE packageselection-server-n-install-flavors - I thought for SSH we ended up on the idea of an installer question, but default to not installed so it doesn't have system policy implications.
[14:52] <kirkland> ScottK: nope, I took the action item to take this to the tech board
[14:52] <ScottK> I know we said that at one point, but I thought there was more discussion afterwards.
[14:53] <ScottK> Simply having the installer question solves the "Oops, I forgot" problem.
[14:53] <ScottK> SpamapS or ttx: ^^^ do you recall this?
[14:53] <kirkland> ScottK: installer question, yes, cursor hovering over "yes, install", but giving sufficiently ominous text that would convince the paranoid to move the cursor to "no, don't install"
[14:54] <kirkland> ScottK: that part I remember
[14:54] <ScottK> Right, I recall more after.  Just as the session was ending.
[14:55] <ttx> ScottK: we went back and forth on the subject, I tend to recall the same thing you did, but maybe it was hallway discussions just after
[14:56] <ScottK> Could be.
[14:56] <ttx> Maybe raising an RFC on ubuntu-dev before going to the TB would be a good idea
[14:56] <ScottK> kirkland: I'd suggest adding the question with default No for Natty and then re-assess.
[14:56] <ScottK> We mostly need to get this right for the next LTS, so there's no need to push it too hard in this cycle.
[14:56] <kirkland> ScottK: why?
[14:57] <ScottK> Because adding a question that defaults to no will be completely non-controversial.  Let's do that step first and assess if more is needed.
[15:01] <kirkland> ScottK: in that case, we can just add the question, no permission needed if we default to no;  and then simultaneously ask for permission to change that default to hovering over "yes"
[15:01] <kirkland> ScottK: i don't see the point in wasting any more Ubuntu cycles with the default set to something sub optimal
[15:01] <ScottK> I think the case would be stronger if we could say "We tried defaulting to no for one cycle and people still have problems."
[15:02] <ScottK> kirkland: Part of the problem is that lots of people will consider a yes default sub-optimal.
[15:02] <kirkland> ScottK: and they will be in a minority
[15:02] <kirkland> "are"
[15:03] <kirkland> If you're installing a server, you need SSH, except in very specific circumstances, in which case you hit "<tab><enter>"
[15:03] <kirkland> instead of "<enter>"
[15:05] <ScottK> If ssh is installed by default, we will need process for dealing with short notice ISO respins if security issues in the package happen again.
[15:12] <kirkland> ScottK: it wouldn't be "installed by default" ... it would take a conscious decision to hit <enter> while hovering over the button that says, "yes, i want to install ssh on this server and open port 22"
[15:12] <kirkland> smoser: you might want to change the approver of https://blueprints.launchpad.net/ubuntu/+spec/cloud-server-n-desktop-images to robbiew
[15:13] <ScottK> If the question defaults to yes, it's installed by default.
[15:13] <kirkland> ScottK: "by default" means that you're not asked whether you want it or not;  like the -server kernel is installed "by default"
[15:14] <ScottK> I don't think you can assume a user always sees all questions.
[15:14] <kirkland> ScottK: that's what I came into the session asking for, but we compromised on pulling the ssh-server part out of the tasksel, and giving it special treatment, devoting a question directly to it
[15:14] <smoser> kirkland, done
[15:14] <soren> ScottK: We choose which questions to ask.
[15:15] <ScottK> kirkland: I think a question is great, I just want it to default to no.
[15:15] <kirkland> ScottK: we also agreed that if users are preseeding, then the default is "no"
[15:15] <ScottK> OK.
[15:15] <kirkland> ScottK: if the default is "no", i refuse to put any effort into adding a question to the installer
[15:15] <smoser> i probably have to change all of those.
[15:15] <kirkland> ScottK: completely defeats the point
[15:15] <kirkland> smoser: yeah
[15:16] <kirkland> ScottK: there's already such a question, in the tasksel
[15:16] <kirkland> ScottK: its sufficiently buried already
[15:16] <ScottK> kirkland: I disagree.  The point is people forget to add the task, so it needs to be more obvious.  A question solves the problem IMO.
[15:17] <kirkland> ScottK: and we'll continue to have an inanely "safe" default, at the expense of the vast majority of server users would benefit from us taking an intelligent stand, rather than an unreasonably staunchly conservative stand
[15:18]  * patdk-wk likes selecting it from tasksel, and wouldn't like a seperate question
[15:18] <kirkland> ScottK: it's like defaulting the networking stack to "disabled" by default, just to make sure someone doesn't accidently enable networking
[15:18] <patdk-wk> either auto install, or in tasksel is good for me (a user)
[15:18] <mathiaz> ttx: o/
[15:18] <mathiaz> ttx: how are you doing today?
[15:19] <ScottK> kirkland: I see your point, but I think presenting the question is a sufficient solution.  We'll have to disagree then.
[15:19] <kirkland> patdk-wk: thank you for your input.
[15:21] <kirkland> ScottK: fair enough;  if i'm going to spend any time on this at all, i'm working to have a sane default, which is "SSH is an essential tool installed on most servers which are installed interactively; let's make this intuitive"
[15:21] <patdk-wk> I'm more under the understanding, if someone is security critical, they would inspect the installed packages, and remove anything not needed, or have their own preseed file they use instead
[15:21] <SpamapS> ScottK: here now.. I do recall that there was a desire to put it in the first stage of the installer, and that there was considerable resistance to putting any "scary" language in the installer.
[15:22] <kirkland> ScottK: if you're going to somehow veto that, then I'm not going to spend any effort on this and will abandon the idea entirely
[15:22] <cradek> (as just another user with 2c) it is a minor pain to have to remember to install sshd on each desktop machine I install.  I have no machines without ssh servers.  I am surprised that it is not default on a server install.  I am surprised it is controversial.
[15:22] <ScottK> kirkland: I don't have any veto power.
[15:22] <pkstef> would anyone have any tips for setting up ubuntu-server as a personal seedbox?
[15:23] <soren> What does a seedbox do?
[15:23] <\sh> patdk-wk: someone security critical would adjust the ssh default config to not listen on all interfaces/ips etc. and imho most server admins are installing sshd by default, or they do have another method of accessing the box remotely
[15:23] <SpamapS> kirkland: I'm 100% behind ScottK here. Security sits on the other extreme of the scale that ends with Convenience. We can tick it a little back toward convenience with a well thought out check box... going further means a bit too much exposure IMO.
[15:24] <pkstef> downloads torrents then i can ftp them from a different location
[15:24] <marrusl> I am also pro enabling sshd.  you should be setting up in a pretty secure environment in the first place.
[15:24] <kamusin> sorry for ask here but I am looking for a canonical sysadmin (our LocoContact need help)
[15:24] <ScottK> kirkland: Fundamentally, I think it's the Ubuntu Security team you have to convince (and at least one of them is a TB member - so doubly so for kees).
[15:24] <Pici> kamusin: Try #canonical-sysadmin
[15:25] <SpamapS> kirkland: I also recall that another discussion was centered around enabling it after the second stage and after updates have been applied.
[15:25] <kamusin> Pici, ;)
[15:25] <\sh> what I would like to see during an interactive server setup is to provide a ssh user key to install by default and sshd should default to key auth
[15:25] <pkstef> ?/
[15:25] <kirkland> ScottK: i have discussed this at length with kees, having filed the blueprint after in-person discussions with him in September
[15:25] <ScottK> OK.
[15:25] <ScottK> I like \sh's idea.
[15:26] <soren> How would that work? You would type in your public key?
[15:26] <ScottK> USB stick?
[15:26] <\sh> soren: or use an usb device and d-i will recognize it and push it to the installation target
[15:27] <SpamapS> \sh: you mean provide a means for the user to upload a public key right?
[15:27] <\sh> SpamapS: yepp
[15:27]  * diplo also likes that idea
[15:28] <\sh> SpamapS: something like RH or SLES did for third party kernel modules during server install
[15:28] <SpamapS> \sh: cloud-init can do it by grabbing it from an LP account. It would be cool to be able to say in the installer "Grab my SSH keys from: x, y, z"
[15:28] <SpamapS> This is why I like the 2 stage install idea so much.
[15:29] <\sh> SpamapS: yes..but think about that during interactive server setup you mostly don't need any network connection...
[15:29] <SpamapS> Garners respect from experts by giving them "just the base system" quickly, but enables new users by guiding them into things like this.
[15:29] <ttx> mathiaz: well well
[15:29] <patdk-wk> oh ya, grabbing a public key from x,y,z is very secure :)
[15:29]  * patdk-wk waits for x,y,z to be redirected
[15:29] <marrusl> Isn't the issue about defaults?
[15:30] <marrusl> rather than cool features.
[15:30] <mathiaz> ttx: would you mind triagging all the New,Undecided bugs for today Wednesday (as you used to) ?? ;)
[15:30] <ttx> mathiaz: hmmm
[15:30] <\sh> patdk-wk: we don't talk about public infrastructure x.y.z...it's more likely that you setup your server interactivly on local infrastructures..
[15:30] <SpamapS> patdk-wk: x,y,z is on SSL and the key would be shown to the user, duh. ;) Thats why we have OCSP and CRL's
[15:30] <kirkland> ScottK: kees said that as long as the user knows they're installing SSH, then it's fine by him;  hence the question in the installer
[15:30] <ScottK> OK.
[15:31] <ttx> mathiaz: as soon as I get to the "free time" I'm supposed to have in that new position, I will.
[15:31] <\sh> patdk-wk: regarding cloud installs this is a totally different matter...
[15:31] <SpamapS> wait, maybe I agreed with the wrong person. Did somebody NOT want the question in the installer?
[15:31] <patdk-wk> ya, cloud is different
[15:31] <mathiaz> ttx: :D
[15:31] <ScottK> SpamapS: The only arguement was over default.
[15:31] <SpamapS> Default *no*
[15:32] <\sh> patdk-wk: and most admins who are deploying their servers with automatic tools, they don't rely on d-i or tasksel, they deploy their users automatically and provide most of the times user keys by default
[15:32] <SpamapS> In fact, IMO, checkboxes that are defaulted on are almost always subversive. Its like asking people double-negative questions.
[15:32] <patdk-wk> \sh, yes, but we aren't talking about that
[15:32] <kirkland> SpamapS: i believe ScottK and I are in agreement that an installer question about SSH would be an improvement over the one buried in tasksel
[15:32] <ScottK> SpamapS: I agree, but kirkland feels strongly the other way.
[15:32] <ScottK> kirkland: Absolutely.
[15:33] <kirkland> SpamapS: the only disagreement I *think* there is between ScottK and i is whether <yes, install SSH> or <no, don't install SSH> is highlighted by default in the installer
[15:33] <SpamapS> Also would this checkbox do what we also discussed, which is to install it post-updates only?
[15:34] <kirkland> SpamapS: a 2-stage installer is probably 2+ Ubuntu releases away, IMHO
[15:34] <\sh> patdk-wk: fetching keys from a remote public site is always a security risk...and I woudln't want it..but fetching it from an USB device or from a local network location, this could be a good thing, especially regarding admins who are using preseeding or kickstarting ;)
[15:34] <SpamapS> kirkland: If highlighted means having to hit a key other than enter to leave it off then I am dubious as to why we are bothering to ask.
[15:34] <kirkland> SpamapS: adding a question to the installer is something we can do in a day or two, and vastly improve the ubuntu server install experience for thousands of users
[15:35] <patdk-wk> \sh, if I was preseeding, I would just have my own ubuntu package that contained my key, most likely, or make a package that installed it
[15:35] <mdeslaur> The security team's stance is adding a checkbox to install ssh is okay, as long as it defaults to off
[15:35] <SpamapS> kirkland: add the question yes! highlight "No" and include 2 other answers.. "Yes enable SSH" and "Tell me more" with scary language behind that.
[15:35] <jdstrand> no scary language
[15:35] <SpamapS> jdstrand: BOO!
[15:35] <jdstrand> :)
[15:35] <SpamapS> or rather
[15:35] <SpamapS> BOO I scare you, not BOOOO your idea sucks. ;)
[15:36] <kirkland> mdeslaur: is that a unanimous decision?
[15:36] <\sh> patdk-wk: well, people are leaving the companies, so keys are changing, a package needs to be newly build everytime that happens...user assets in your assetmanagement are much better and faster, and you can add some magic to it to provide keys or other user settings which could be useful during preseeding
[15:36] <SpamapS> kirkland: On the 2-stager.. why is that so far away? What do we have to do to strip things out of the main installer and change motd?
[15:37] <mdeslaur> kirkland: as per the last discussion we had, yes. I can re-confirm with everyone if you'd like.
[15:37] <kirkland> mdeslaur: please do;  would be nice if that discussion happened here
[15:37] <jdstrand> I'm not sure it has to be unanimous
[15:38] <mdeslaur> kirkland: ok, wait until kees and sbeattie arrive, and we'll discuss it
[15:38] <jdstrand> but regardless, mdeslaur stated my opinion as well
[15:38] <kirkland> SpamapS: because if there's this much disagreement about 1 page in the installer, imagine the complexity in rewriting it
[15:39] <SpamapS> kirkland: Fair enough. I don't think we can change much at all after this release though, so I'd almost rather see it changed radically in Natty according to what we discussed, and then let the response to that guide us on "O minus 1" so we get that right and change nothing in O.
[15:40] <SpamapS> kirkland: Also I don't think the "off by default but highlighted" option was clear while we were all talking. the "let the user choose" was though.
[15:41] <SpamapS> I do like a checkbox. I want it to stay off if the user just powers through the install though.
[15:41] <mdeslaur> Utimately, it changes the "no open ports by default" policy, which means it needs to pass tech board approval anyway
[15:41] <marrusl> I think one issue is initial experiences.  people just trying ubuntu server or coming over from rhel/sles just *expect* it to be there.  and the tasksel is too easy to miss.
[15:41] <SpamapS> whoa.. I just discovered "cmd-A" .. my windows .. they're.. flying around.
[15:41] <kirkland> mdeslaur: that policy is a mirage -> avahi
[15:41] <SpamapS> does avahi respond to unicast from other networks?
[15:42] <jdstrand> kirkland: it isn't a mirage
[15:42]  * SpamapS actually doesn't know
[15:42] <jdstrand> kirkland: avahi is the exception that the TB voted on
[15:42] <jdstrand> kirkland: just like you want an exception
[15:42] <kirkland> jdstrand: yes, and I volunteered to take SSH to the TB for an exception too
[15:42] <jdstrand> there is also language that the security team must approve it as well
[15:43] <gholms|work> How are canonical's stock EC2 images created?  All the docs that I've seen so far involve rebundling the stock ones, not building them from scratch.
[15:43] <jdstrand> with something as important as a login port hanging out there for anyone in the world to try to login with, I think the discussion with the security team should have been in the open. not with just one member somewhere else
[15:44] <jdstrand> if it was in the open and I missed it, I apologize
[15:44] <SpamapS> gholms|work: smoser can answer that pretty easily.
[15:44] <SpamapS> smoser: ^^ how do we make the EC2 images?
[15:44] <jdstrand> but at UDS, the members of the security team that attended that session for that bp said 'no'
[15:44] <smoser> gholms|work, https://wiki.ubuntu.com/UEC/Images/Publishing has most of hte info
[15:47] <\sh> marrusl: well, they you could say this: "people coming from RHEL/SLES are expecting a 'root' user to be there" ;)
[15:47] <\sh> s/they/then/
[15:48] <marrusl> \sh, touche.
[15:48] <marrusl> Still, it's not like we're talking about telnet here.
[15:50] <kirkland> marrusl: you'd think I was ....
[15:50] <gholms|work> smoser: Are things like package selection, mirror locations, and whatnot all hardcoded?  Where does the actual configuration take place?
[15:50] <\sh> marrusl: but we are talking about defaults of an interactive setup...as said, most serious server admins in enterprise environments won't use any interactive setup, but devs on vmware boxes to test a new release or admins to test new ubuntu releases...(before they start to deploy a new release automatically) ;)
[15:51] <gholms|work> User configuration...
[15:51] <marrusl> \sh, disagreed.  most serious server admins won't do that large scale, but many will use interactive setup during testing and prototyping.
[15:51] <SpamapS> So you make it enabled by default. But then you a) leave password auth turned off, or b) risk compromise through brute force attack...
[15:52] <kirkland> This is why the Ubuntu Desktop succeeds -- because they make sensible defaults and have the guts to make bold decisions
[15:52] <marrusl> \sh, well I guess we are agreeing to an extent there.
[15:52] <SpamapS> option a means you need to get keys to the box somehow (some interesting possibilities there actually)
[15:52] <\sh> marrusl: that's what I said :)
[15:52] <SpamapS> option b means you also need denyhosts, or iptables rules, or any number of things that don't work in some environments..
[15:52] <mdeslaur> kirkland: our bold decision is to not have openssh turned on by default, when other do
[15:52] <mdeslaur> s/other/others/
[15:53] <smoser> gholms|work, cloud-init handles first boot configuration
[15:54] <gholms|work> How about grub configuration?
[15:54] <\sh> SpamapS: you could even ask for an IP from where you are allowed to connect to the ssh port...there are many possibilities
[15:55] <smoser> gholms|work, well, it depends.  the code is all there in those repos listed from the link i gav eabove.
[15:55] <patdk-wk> hmm, ssh access to grub
[15:55] <SpamapS> \sh: yes, that would work. More options, though, is something others worked very hard to eliminate from the installer.
[15:55] <smoser> in image creation, we kind of hack in a grub2 config and a grub1 path.  grub1 is used by pv-grub on ec2, and grub2 is used by the 'loader' path on UEC.
[15:56] <SpamapS> patdk-wk: Actually that would be *unbelievably helpful*
[15:56] <smoser> on first boot, cloud-init figures out where it is running and seeds grub2 debconf so that the user isn't prompted in the future when update-grub runs
[15:58] <kirkland> jdstrand: mdeslaur: so just to be clear, we're disagreeing over the placement of the cursor in the interactive server install, whether it's hovering over <yes> or <no>?
[16:00] <mdeslaur> kirkland: yes. We want the person installing to make a deliberate choice to open ssh. (and, of course, this is only our opinion...tech board ultimately decides...)
[16:11] <\sh> SpamapS: it's always the difference between easiness and security...most of the time security is not the top priority ;)
[16:13] <jdstrand> I'm not sure of the benefits of making it that much easier. sure, yank it out of tasksel and present a clear question so people know ssh is enabled or not. make it preseedable. this way people don't miss it and we don't open a port be default or fail compliance tests, etc
[16:14] <SpamapS> \sh: right, so its important to illuminate risks and never put anybody in harm's way without at least giving them a sword and shield in the fight. :)
[16:14] <ads> re
[16:14] <ads> ok, third channel ...
[16:14] <ads> Ok, who's responsible for the PHP mess in Ubuntu? ;-)
[16:14] <gholms|work> smoser: So on Eucalyptus it uses grub1 to load grub2?  What eki/eri do you have to use for that?
[16:15] <ads> I can't get PHP to log parse errors even though I configured every known option and phpinfo() tells me all options are switched on.
[16:15] <gholms|work> Just one with grub2, or...?
[16:15] <smoser> gholms|work, on eucalyptus, in maverick, there are patches in the ubuntu eucalyptus package that handle it
[16:15] <SpamapS> ads: we're all responsible for it in some way.. unless we already filed that bug report. ;)
[16:16] <ads> ;-)
[16:16]  * gholms|work wishes deb sources had discrete patches
[16:16] <smoser> the basic logic is "if a 'kernel' is a multiboot image, then put it on a floppy disk, boot from the floppy"
[16:16] <SpamapS> ads: you're running it via libapache2-mod-php5 I presume?
[16:16] <ads> SpamapS: version 5.3.2-1ubuntu4.5, yes
[16:17] <smoser> then, we publish multiboot images with our uec-images tarballs (named '-loader') that can be registered. those -loader files basically multiboot off of (hd0,0)/boot/grub/grub.cfg
[16:17] <gholms|work> smoser: Is that all there to work around the lack of pvgrub?
[16:19] <smoser> gholms|work, well, it provides the same function. and generally the same flow.
[16:20] <SpamapS> ads: ok, so you just want to set something like 'error_log=syslog' and error_reporting=E_ALL   right ?
[16:20] <gholms|work> smoser: How do you decide whether something is a multiboot kernel?
[16:20] <smoser> its just more flexible. outside of the floppy hack, its fairly clean.  we promise to the image creator, that if a kenrel is a multiboot image, then it will be loaded specially.
[16:20] <smoser> gholms|work, its fairly determinable.
[16:20] <ads> SpamapS: display_errors is On, display_startup_errors is On, error_reporting is set to E_ALL
[16:21] <smoser> http://bazaar.launchpad.net/~ubuntu-virt/ubuntu/maverick/eucalyptus/2.0/annotate/head%3A/debian/patches/22-uec-multiboot-kvm.patch is the patch
[16:21] <ads> SpamapS: when I set error_log PHP does not even touch this file.
[16:21] <SpamapS> ads: display errors doesn't "log" errors .. so you want them on the page?
[16:21] <gholms|work> smoser: What does upstream think of it?
[16:21] <SpamapS> ads: did you look in /var/log/apache2/error.log ?
[16:21] <ads> SpamapS: this was a test. In case of an parse error I just get a white website with no content at all.
[16:21] <ads> SpamapS: I did, nothing.
[16:21] <smoser> eucalyptus is generally in favor, and we hope to have it (or something like it) into 2.1.  Daviey <---
[16:22] <smoser> gholms|work, fwiw, the easiest solution woudl have been to just let kvm load the multiboot image
[16:22] <ads> SpamapS: basically I want to see my parse errors, that's all. This is my own dev system, no production system.
[16:22] <smoser> but due to a bug/missing feature, that wasn't really possible
[16:22] <gholms|work> smoser: If it's running on kvm, sure.
[16:22] <smoser> https://bugs.launchpad.net/ubuntu/+source/seabios/+bug/611142
[16:23] <ads> SpamapS: and no, parse errors don't go into the apache logfile.
[16:23] <ads> SpamapS: It seems like php is just hiding them.
[16:24] <\sh> ads: you did set it in /etc/php5/apache2/php.ini ? (asking just to be sure)
[16:25] <SpamapS> and restart apache
[16:25] <ads> \sh: yes - and I checked the actual values with phpinfo()
[16:25] <ads> SpamapS: yes
[16:26] <ads> Hell, I'm using PHP since version 3.something, configured a lot boxes, but never seen such a behaviour
[16:27] <SpamapS> ads: and cli php does what you'd expect?
[16:27] <ads> Let's test
[16:28] <ads> No. I get some startup warnings about deprecated stuff (because I have E_ALL), but I get no error message. The php file just contains one invalid line (random chars)
[16:28] <\sh> Anyways..../me needs to go home now...and care for my baby ;)
[16:31] <SpamapS> ads: this is lucid, yes?
[16:31] <SpamapS> (10.04)
[16:32] <ads> yes
[16:34] <SpamapS> ads: with the default install I get parse errors in /var/log/apache2/error.log
[16:34] <SpamapS> [Wed Nov 03 09:33:49 2010] [error] [client 127.0.0.1] PHP Parse error:  syntax error, unexpected ';', expecting T_STRING or T_VARIABLE or '$' in /var/www/test.php on line 1
[16:35] <SpamapS> ads: and most things in phpinfo() show "No value"
[16:35] <ads> SpamapS: I would expect the same. Same configuration works on several boxes, just not on this one.
[16:35] <SpamapS> ads: which means we're just using the SAPI default
[16:36] <SpamapS> ads: can you post your phpinfo() somewhere?
[16:36] <Steve[cug]> does anyone happen to know if rsyslog supports ip spoofing like syslog-ng does?
[16:36] <ads> SpamapS: let me extract the details
[16:36] <SpamapS> Steve[cug]: thats just.. evil! ;)
[16:36] <Steve[cug]> what?
[16:36] <SpamapS> Steve[cug]: changing the IP of packets just because you can. ;)
[16:36] <Steve[cug]> lol
[16:37] <Steve[cug]> I need to send the messages to the correlation engine, and the only way for the engine to pick everything up properly is if i spoof the packet
[16:37] <SpamapS> Sounds like a crappy engine. ;)
[16:38] <Steve[cug]> :-p  actually its prolly one of the best engines out there IMHO, but it doesnt expect to be the endpoint of another syslog aggregater
[16:41] <SpamapS> Steve[cug]: that always was syslog-ng's big crusade wasn't it?
[16:43] <ads> SpamapS: http://pgsql.privatepaste.com/ae7ea92913/w3e4rtfzg
[16:43] <Steve[cug]> SpamapS: to be a large aggregator...yes.
[16:44] <Steve[cug]> unfortunately for reasons unknwon to me I was asked if we could use rsyslog instead...as I have to recompile the syslog-ng package to enable ip spoofing
[16:51] <SpamapS> Steve[cug]: is syslog the only way you can get things into the engine? Maybe it has other ways of taking data that are more suitable to rsyslog.
[16:51] <Steve[cug]> SpamapS: its the only way we can get many things
[16:51] <Steve[cug]> so yes
[16:51] <SpamapS> ads: weird!
[16:52] <SpamapS> Steve[cug]: but I mean, could it take the source from the content of the message rather than the source IP address?
[16:53] <SpamapS> Steve[cug]: I wonder if this might help.. http://www.rsyslog.com/doc/property_replacer.html
[17:15] <ScottK> JamesPage: The existing binary can be moved to Main, so rebootstrapping isn't required.
[17:16] <kinygos> apologies for the noob question....is it possible to configure fail2ban to not unban an address?  or should i just the ban time to a big number?
[17:19] <ads> re
[17:19] <ads> SpamapS: you name it!
[17:20] <patdk-wk> kinygos, comment out actionunban?
[17:22] <zul> SpamapS: ping [cilnt-fewbar] MySQL: investigate and resolve conflicts between mariadb and mysql's libmysqlclient: TODO <-- good luck on that ;)
[17:23] <ads> zul: *fg*
[17:23] <kinygos> patdk-wk: i don't have an actionunban or anything that looks like it...i'll google
[17:23] <patdk-wk> did you check out the actions directory?
[17:25] <kinygos> patdk-wk: awesome :)  thank you very much for your help
[17:25] <SpamapS> zul: what could they possibly be doing in their *client* library that doesn't make it *necessarily* a new libname ?
[17:25] <SpamapS> zul: my thinking is, if they've changed the API fundamentally, they should fork and not call themselves libmysqlclient
[17:25] <zul> SpamapS: binary compat is a bit big thing for them...but i agree with you
[17:26] <SpamapS> zul: riddle me this, can libraries be managed via alternatives?
[17:26] <zul> SpamapS: doubt it
[17:27] <SpamapS> yeah it would probably be a bad idea even if they ABI was compatible.
[17:32] <ScottK> SpamapS: It would be useful if mysql were packaged so that multiple versions could be installed along side for transition purposes (e.g. like postgresql).  If this were done, it would probably be easy enough to extend it to cover mysql-fork-of-the-day.
[17:35] <SpamapS> ScottK: looks like what they've done is just call it something else. http://www.percona.com/downloads/Percona-Server-5.1/Percona-Server-5.1.51-11.5/deb/lucid/x86_64/
[17:35] <ScottK> OK.
[17:35] <SpamapS> ScottK: not sure what maria is doing..
[17:36] <SpamapS> But really they all want ownership of port 3306 .. so I'm not sure how they can really coexist. ;)
[17:36] <patdk-wk> heh, I do it just fine :)
[17:38] <SpamapS> True you can set a policy to not mess with those services, and then manually configure their listen ports/restart them/etc.
[17:38] <SpamapS> I kind of like the approach mtaylor was talking about doing for drizzle.. where it installs all of the software just fine, and the default configs come in packages that conflict with one another.
[17:39] <SpamapS> I haven't looked close enough at pgsql, but I think thats what it does too.
[17:43] <ScottK> There's a postgresql-common package that manages it.
[17:43] <ScottK> (IIRC, something like that, YMMV)
[17:43] <SpamapS> no IANAL?
[17:44] <ScottK> TANSTAAFL too
[18:22] <Wise_> how do I move folders exactly? just mv tells me "directory not empty" mv -R or -r tells me invalid option
[18:22] <Wise_> :|
[18:25] <krycek_> does ubuntu 10.10 support Dell Poweredge T410 server? in the ubuntu page says it supports R410. But it almost the same machine.
[18:25] <RoyK> krycek_: isn't the difference between the two just that T- is tower and R- is rack?
[18:26] <krycek_> should be, i guess
[18:26] <krycek_> but there is no reference of T410 in the ubuntu page
[18:26] <RoyK> krycek_: just try it, if you have the box, that is
[18:26] <krycek_> not yet
[18:27] <RoyK> krycek_: also, testing 10.04 first might be worth a thought as well, since 10.10 isn't LTS
[18:28]  * RoyK only uses LTS releases on servers unless he's forced to do otherwice
[18:29] <krycek_> what will be the next LTS?
[18:29] <Pici> 12.04
[18:29] <RoyK> 12.04
[18:29] <RoyK> krycek_: that is, there are new sub-releases every now and then
[18:29] <RoyK> 10.04.1 is the latest
[18:30] <krycek_> hmm... ok
[18:30] <krycek_> tkz
[18:30] <RoyK> LTS releases are supported for 5 years, non-LTS for 18 months
[18:32] <RoyK> and IMHO most servers won't need cutting (or bleeding) edge versions for the most part
[18:32] <RoyK> krycek_: what sort of server is it you're setting up?
[18:32] <krycek_> web, dns, mail
[18:33] <krycek_> and some databases for some apps used here in the company
[18:33] <RoyK> I'd stick to 10.04 for that
[18:33] <krycek_> any recommended material for first time admins?
[18:33] <RoyK> krycek_: and if someone needs the mysql 6 pre alpha something, use a VM for that to isolate it
[18:34] <RoyK> !guide
[18:34] <krycek_> no need for mysql 6
[18:34] <krycek_> !guide
[18:34] <RoyK> https://help.ubuntu.com/10.04/serverguide/C/index.html
[18:34] <Pici> !guide is <alias> serverguide
[18:34] <RoyK> stupid bot didn't know that...
[18:34] <Pici> now it does.
[18:34] <RoyK> k
[18:34] <RoyK> !guide
[18:35] <RoyK> danke
[18:35] <Pici> \o/
[18:35] <krycek_> hehe, thanks
[18:36] <krycek_> do you recommend to use another box to take care of the firewall/routing part? or using just one box for all is ok?
[18:37] <RoyK> krycek_: depends on your needs - it's generally a good idea to use a separate box for firewalling, and if you're a newbie, something like pfSense might be worth a try
[18:37] <RoyK> it's really light-weight, all GUI and is easy to setup/manage
[18:38] <krycek_> pfSense, I'll take a look into that
[18:38] <RoyK> and based on freebsd, so if you're picky of the OS, maybe something linux-based might be better, but still, pfSense is very well tested
[18:38] <krycek_> you are very helpfull, RoyK , thanks again
[18:38] <RoyK> :)
[18:41] <RoyK> lol - pfSense can be setup to block windoze machines by passive fingerprinting :D
[18:42] <pmatulis> RoyK: runs openbsd's PF?
[18:42] <RoyK> *bsd pf, I guess
[18:43] <pmatulis> RoyK: right, that's from OpenBSD.  ported to FreeBSD
[18:43] <RoyK> pmatulis: I don't know too much about the details - check if there's another channel available if you want to dig into that...
[18:43] <pmatulis> RoyK: no need to dig
[18:43] <RoyK> :)
[18:45]  * pmatulis runs OpenBSD at home (and uses PF quite a bit)
[18:46]  * RoyK hasn't install obsd for _years_
[18:51] <krycek_> for a newbie is it ubuntu the right distro? or CentOS should be easier?
[18:51] <joesuffceren> I need a little help with NTP. I am trying to get my ubuntu box to sync with my Windows domain controller. (I have also tried using us.pool.ntp.org servers with the same results described below). I can use ntpdate -u to sync the time just fine, but when I set them up as server entries in ntp.conf, they don't work
[18:51] <RoyK> krycek_: I wouldn't recommend centos or that sort of thing - ubuntu has everything you'll need
[18:52] <krycek_> I ask because I've just read: http://www.twincling.org/node/689
[18:52] <joesuffceren> ntpq -p shows my servers that I configure in ntp.conf, but none of them ever has an asterisk beside it, which, if I understand, means it's not actually syncing with them
[18:52] <krycek_> and he says: CentOS provided the fastest configuration time, lowest learning curve, better ROI, superior package management system, and a good fuzzy feeling of stability.
[18:52] <RoyK> krycek_: I somehow think the person that wrote that is a centosist without much regard for technology
[18:53] <krycek_> hehe
[18:53] <RoyK> krycek_: we have about a hundred servers, most of them on solaris and different linux distros - we're moving most of those to ubuntu, for good reason
[18:53] <krycek_> it's a very hard decicion for a web developer to make hehehe
[18:54] <RoyK> for a web developer, you won't find much difference between the two, except that there are perhaps 10x more packages available in ubuntu, meaning if you need this or that apache extension, or this or that special library, you just install it instead of having to compile it from source
[18:54] <RoyK> or find some obscure package at some site somewhere
[18:55] <Steve[cug]> krycek_: I typically handle it this way... Ubuntu LTS for any server except when a software vendor requires I run RHEL
[18:56] <RoyK> krycek_: also, centos is not officially supported, and if you're paranoid, you can get ubuntu support from Canonical quite cheaply
[18:56]  * RoyK hands Steve[cug] a beer
[18:56] <Steve[cug]> RoyK: ;)
[18:56] <RoyK> Steve[cug]: that's exactly what we are doing
[18:57] <Steve[cug]> I like Ubuntu/Debian's method of handling packages a lot better then RHEL/CentOS/SLES
[18:57] <krycek_> ok then, I'll use your expertise and use ubuntu LTS
[18:57] <RoyK> Steve[cug]: except some rare cases where this or that developer or researcher needs a special distro
[18:57] <Steve[cug]> krycek_: yeah stick to LTS's for servers
[18:57] <Steve[cug]> RoyK: oh we dont allow for that
[18:57] <Steve[cug]> you have a choice...Ubuntu, RHEL, or SLES (only for Telecom)
[18:58] <krycek_> do you own a hosting company?
[18:59] <RoyK> Steve[cug]: we need to sometimes - some projects use developers or scientists from other countries developing intstrument apps for certain distros - for those cases we have a few fedora machines. But then, I've managed to talk at least one of these groups to use ubuntu instead
[18:59] <Steve[cug]> most of my infrastructure is Ubuntu, some of our vendor stuff requires RHEL, so we have a small smattering of RHEL boxes, and Telecom uses SLES because the company we use for Voip is a german one
[18:59] <RoyK> krycek_: I  work for nilu.no - dunno what Steve[cug] does
[18:59] <Steve[cug]> I work for a mid-size insurance co
[19:00] <RoyK> krycek_: but still - if you need something that's not in 10.04, just setup a VM and install whatever you might need on that
[19:00]  * RoyK hands krycek_ some MSDOS 6.22 floppies
[19:00] <krycek_> using what? KVM?
[19:00] <RoyK> kvm is the preferred, yes
[19:00] <RoyK> and using virt-install it's quite simple to use
[19:00] <RoyK> just like your average windoze app
[19:01] <RoyK> :)
[19:01] <Steve[cug]> RoyK: but KVM isnt always the best option unfortyunately
[19:01] <Steve[cug]> *unfortunately
[19:01] <RoyK> Steve[cug]: imho it works well enough for most platforms
[19:02] <Steve[cug]> poor krycek_, we are confusing him
[19:02] <RoyK> Steve[cug]: what else? xen?
[19:02] <RoyK> :)
[19:02] <krycek_> I'm looking for a VPS provider, do you have any one to recommend?
[19:02] <Steve[cug]> RoyK: KVM sucks for large bandwith needs.  I need to use Xen in those cases
[19:02] <krycek_> Steve[cug], what would be the second option?
[19:02] <krycek_> ok
[19:02] <Steve[cug]> krycek_: depends on how much hand-holding you need IMHO
[19:02] <RoyK> krycek_: with a new server, you can easily run the VMs in-house
[19:03] <RoyK> krycek_: just use KVM
[19:03] <RoyK> krycek_: if that becomes a problem, try something else, but mostly, it'll work well
[19:03] <Steve[cug]> krycek_: KVM is highly preferred because unless you in an edge-case (like my stuff tends to be) running a vanilla kernel ala KVM is much more beneficial than Xen's highly modified kernel
[19:03] <Steve[cug]> s/you/your/g
[19:04] <RoyK> Steve[cug]: I'm not sure if that's the case with paravirtualized block devices, as those you have on 10.04 guests
[19:05] <krycek_> all right, but i dont think i'll need to use it
[19:05] <krycek_> at least for now
[19:05] <RoyK> krycek_: just use kvm if you need virtualization - you'll find out quickly if it fits your needs
[19:05] <Steve[cug]> RoyK: Xen has near-native networking performance, KVM (and VMWare) still take a heafty hit...esp when you are virtualizing passive network sensors ;)
[19:06] <RoyK> well, I'm not :P
[19:06] <Steve[cug]> well I am ^_^
[19:06] <Steve[cug]> :-p
[19:06] <RoyK> Steve[cug]: then you're confusing a newbie :þ
[19:06] <Steve[cug]> i kow....it's what im good at.  I did say that unless you in an edge case, KVM is the way to go
[19:07] <krycek_> let's hope for no edge cases then :)
[19:07] <RoyK> krycek_: if you're new at this, it'll take some years before you reach that point
[19:07] <Steve[cug]> now if only LXC didnt still suck in userland, then we wouldnt need heavily modified kernels for virt or containers anymore
[19:08] <RoyK> LXC?
[19:08] <Steve[cug]> krycek_: yeah, I'm a network Security Engineer, so I play with edge cases all the time
[19:08] <Steve[cug]> LXC == OpenVZ in vanilla kernels
[19:08] <RoyK> k
[19:09] <Steve[cug]> OpenVZ is a huge ugly patch on the kernels
[19:09] <RoyK> krycek_: just to summarize this discussion - use KVM for virtualization - if or when something goes wrong, ask again
[19:09] <krycek_> k, i'll
[19:10] <krycek_> RoyK, what you company does exactly?
[19:10] <krycek_> i dont understand that language
[19:10] <Steve[cug]> yes
[19:10] <RoyK> krycek_: press the English link at the top left corner :)
[19:11] <Steve[cug]> lol
[19:11] <krycek_> there it is, usually it is the top right corner ;p
[19:12] <RoyK> basically NILU is Norwegian institute for air research, which means pollution measurments, cliate modeling, health research and a few more things
[19:12] <krycek_> suddently it all makes sense
[19:13] <RoyK> not my fault - those windoze guys doing the web stuff aren't my cup of tea
[19:13] <Steve[cug]> agreed
[19:14] <Steve[cug]> esp when they mostly just use apache on wintel :-p
[19:14] <Steve[cug]> IIS *shudders* is just horrid
[19:15] <RoyK> it's quite nice to use against people you don't like, as in, hey, this IIS server has a problem, we can't have any downtime, though, can you try to fix it?
[19:15] <kinygos> lol
[19:15] <Steve[cug]> lol
[19:17] <krycek_> pfSense looks nice²
[19:19] <RoyK> there should have been an ARM port for it, though
[19:20] <krycek_> maybe it is in their roadmap
[19:20] <RoyK> doesn't look like it http://doc.pfsense.org/index.php/Does_pfSense_support_non-i386_hardware_platforms%3F
[19:21] <krycek_> damnit
[19:21] <RoyK> anyway - atom systems doesn't cost too much these days
[19:21] <RoyK> and it really doesn't matter to me what the arch is, so long as it works
[19:22] <kinygos> i've configured apache2 to generate my web app logs outside of /var/log...what would be the best practice way of rotating them?  using logrotate or piping them to rotatelogs?
[19:23] <RoyK> I'd use logrotate, but then, that's only my choice
[19:24] <kinygos> RoyK: do you know if it's possible for me to just point logrotate at my app's log directory, or do i need to do anything exotic?
[19:25] <RoyK> kinygos: take a look at the files under /etc/logrotate.d
[19:25] <RoyK> it's quite easy to configure that
[19:26] <kinygos> RoyK: i did, found an apache2 one...do i just create a copy of it for my app, with my app log directory?
[19:26] <Steve[cug]> you may need to modify the apparmor settings for logrotate as well
[19:27] <RoyK> Steve[cug]: really?
[19:28]  * kinygos just looked at the AppArmor man page and his mind is boggling
[19:28] <Steve[cug]> lol, its not that bad
[19:28] <RoyK> kinygos: just try with logrotate - if it fails, cron will email root
[19:28] <sbeattie> There's no apparmor policy for logrotate by default, in any event.
[19:28] <RoyK> that's what I thought
[19:29] <Steve[cug]> good to know
[19:29] <Steve[cug]> I just always check just to be safe
[19:29] <Steve[cug]> hence i said you *may* need to :-p
[19:30] <RoyK> Steve[cug]: I'd say, better keep quiet unless you know something's going to fail - there's a lot of newbies that may panic (or at least get distressed) if a lot of new things come up
[19:31] <RoyK> and if things fail, they'll tell us anyway
[19:32] <kinygos> lol...my brain is fuzzing...i set out to configure rotating logs on my web app, starting learning about LinuxLogFiles (excellent do on help.ubuntu.com)...realised i had numerous spurious attempts to log in on ssh to my server...so had to learn about portknocking, the iptables config on my server, and generally battoning down the ssh hatches...configured fail2bin...and now i've got to learn about cron...
[19:32]  * kinygos is a total noob
[19:32] <Steve[cug]> thats one way to handle it.  i've typically noticed that trying to cover all of the bases so that if it fails, they dont spend forever pulling their hair out thinking they did something wrong when it really wasnt their fault.
[19:33] <kinygos> bloody great fun learning this stuff though
[19:33] <RoyK> kinygos: fail2ban or denyhosts are good packages to block bots
[19:33] <SpamapS> kinygos: you seem to be having fun though. :)
[19:33] <RoyK> I think I'd recommend denyhosts since it works by distributing "bad" IPs
[19:33] <kinygos> lol...i meant fail2ban...and it is awesome :)
[19:33] <RoyK> denyhosts is even better, though a bit more nazi on the rules (by default)
[19:34] <SpamapS> Its also a reasonly good idea these days to just run SSH on an alternate port. :-P
[19:34] <_ruben> security through obscurity ftw!
[19:34] <kinygos> at the same time, i'm developing an e-commerce web application that has to go live before christmas this year
[19:34] <Steve[cug]> SpamapS: I disagree with that, security through obscurity is no security at all
[19:34] <SpamapS> denyhosts seems to catch about half of the ips that are brute forcing.
[19:34] <RoyK> SpamapS: not really - I always run on 22, but then, using denyhosts, people won't get much chance to brute their way in
[19:35] <kinygos> i read about running ssh on a different port, and there's a lot of people that think it's not worth the inconvenience
[19:35] <SpamapS> Steve[cug]: its not security at all, its convenience, for *me* to not have to attend to so many red flags in my logwatch. ;)
[19:35] <RoyK> kinygos: I agree
[19:35] <SpamapS> i have boxes on both setups
[19:35]  * kinygos is googling denyhosts :)
[19:35] <X-Sleepy-X> how can i install 10.04 or 10.10 server on my armada e500 with 64 mb of ram
[19:35] <RoyK> kinygos: apt-get install ......
[19:36] <Steve[cug]> one of the best ways to lock down SSH is to just stick to the simplistics.  Disable interactive and password auth and sticking to just ssh keys, disabling root logins, and getting sudo setup with least priviledged access
[19:36] <SpamapS> on a CentOS box I admin that does have port 22 open.. $ sudo grep "Failed password" /var/log/secure*|wc -l
[19:36] <RoyK> kinygos: after moving to fail2ban/denyhosts I haven't had a single breakin except for some password that got leaked some time back, and that guy came in with ftp
[19:36] <SpamapS> 81
[19:36] <kinygos> RoyK: wow...now that is what i like to hear :)
[19:36] <SpamapS> $ sudo grep "refused connect from" /var/log/secure*|wc -l
[19:36] <SpamapS> 227
[19:37] <SpamapS> so I guess these days deny hosts is doing better than 50% :)
[19:37] <RoyK> SpamapS: :)
[19:37] <SpamapS> 65248 /etc/hosts.deny
[19:37] <Steve[cug]> port knocking and non-std ports are just more trouble than they are worth, esp when running through more restricted networks
[19:37] <Steve[cug]> >.<
[19:38] <SpamapS> Steve[cug]: unless of course you are on a network that restricts port 22. ;)
[19:38] <kinygos> the daemon to monitor the port knocks is a single point of failure
[19:38] <RoyK> SpamapS: wc -l ?
[19:39] <Steve[cug]> SpamapS: true, but typically that isnt restricted because of FTPS
[19:39] <SpamapS> RoyK: yeah
[19:39] <RoyK> that's quite a few :þ
[19:39] <SpamapS> RoyK: thats denyhosts :)
[19:40] <SpamapS> I need to look into just configuring it to feed into iptables and just block all traffic. I don't see why I'd want to receive anything from these loathesome zombies. ;)
[19:40]  * SpamapS heads to lunch
[19:40] <RoyK> damn - I'm <300 on my private boxes - not that much traffic on those, though
[19:41] <zul> you have to be careful with denyhosts you dont want to lock yourself out
[19:41] <kinygos> right...i've gotta go watch the arsenal game with my son...i may have questions about denyhosts when i return...thanks for your help everyone :)
[19:41] <Steve[cug]> zul: exactly
[19:41] <Steve[cug]> I have seen peopl to that on VPSs, quite funnly really
[19:41] <kinygos> and that's what i was worried about zul...i only have remote access to this server
[19:41] <Steve[cug]> *people
[19:42] <RoyK> kinygos: enjoy the game :)
[19:42] <SpamapS> I (shock) whitelisted my whole class C. Everybody in my neighborhood in Los Angeles *MIGHT* be able to brute force my SSH passwords! Oh noes
[19:42] <Steve[cug]> lol
[19:42] <Steve[cug]> SpamapS: thats ofcourse assuming that your DHCP range is restricted to that class C
[19:43] <RoyK> the 192.168.x.x/24 for the open WLAN?
[19:43] <Steve[cug]> lol
[19:44] <Steve[cug]> prolly more like thatever public block he is on
[19:44] <Steve[cug]> *whatever
[19:45] <_ruben> ssh passwords, yuck
[19:48] <RoyK> _ruben: keys can be lost too, you know
[19:49] <_ruben> i wonder if (open)sshd can be configured to require both a key and the local passwd
[19:50] <Steve[cug]> _ruben: actually I got a Yubikey that I use on my stuff.....works great.  then SSH keys aren't really needed
[19:50] <Steve[cug]> just need to make sure you have a coupld of keys incase you loose one setup in the system
[19:51] <RoyK> _ruben: I guess that's just a matter of PAM magick
[20:02] <makomi> hi, anybody use netatalk with mac clients?
[20:02] <TuxM> install trouble: text during installation all scrambled. tried various boot options but to no avail... any suggestions?
[20:04] <makomi> if i select on my mac the afp server i see in logfile of netatalk: "AFP/TCP session from IP" and the next line "server_client PID done"
[20:04] <makomi> how could I use the credentials from my mac to connect to netatlak automatically?
[20:06] <RoyK> makomi: I think the preferred way of sharing to Mac's is using samba or NFS these days - AFP is a little oldish
[20:07] <makomi> but it´s comfortable thru avahi :)
[20:07] <makomi> but i could use avahi with smb
[20:07] <Steve[cug]> samba + avahi is the way to go
[20:11] <TuxM> install trouble: text during installation all scrambled. tried various boot options but to no avail... any suggestions?
[20:13] <RoyK> TuxM: try vga16fb.modeset=0
[20:13] <RoyK> kernel commandline
[20:13] <RoyK> or grub, even
[20:16] <TuxM> RoyK: You're my hero, kernel gave a message: modeset unknow command (or something like that) but it now works! thanks a million
[20:17] <RoyK> :)
[20:18] <RoyK> I got that from some list - trying to install ubuntu on Hyper-V was terrible - screen updates took for ever - that command did it
[20:18] <TuxM> it also works like a charm on this old VIA motherboard
[20:19] <RoyK> it should work with anything, really, since it basically turns off the framebuffer and uses the old ASCII thing instead
[20:20] <TuxM> i tried the fb=false parameter, but that didn't work...
[20:23] <RoyK> TuxM: I know
[20:30] <ScottK> kirkland: I think marking the entire spec obsolete is an over-reaction.
[20:31] <kirkland> ScottK: would you like me to assign it to you?
[20:31] <ScottK> kirkland: Was the ssh part of the spec the only part you were willing to work on?
[20:32] <ScottK> I'd be willing to discuss getting the ssh question implemented in D-I with cjwatson or someone else appropriate, but I'm not qualified to do the implementation.
[20:32] <kirkland> ScottK: the rest of my suggestions in that spec were killed as well (minimal install + better deluxe install)
[20:32] <kirkland> ScottK: that doesn't leave a whole lot left
[20:33] <kirkland> ScottK: in terms of what I had hoped to do with that spec
[20:33] <cjwatson> I don't really want a separate question for it, TBH - you're already asked a question in the server install that includes installing openssh-server as one of its options
[20:33] <cjwatson> (if I'm understanding this correctly)
[20:34] <ScottK> kirkland: I thought that evolved into the idea of base install, reboot, and then add goodies as desired through some easy method (like ubuntu-init instead of cloud-init).  Was that another spec?
[20:36] <ScottK> cjwatson: The problem we have is that ssh-server gets a bit lost in tasksel so people forget it.  Having an explicit question in the installer was a compromise thought between leaving it where it was (often forgotten)  and installed by default (which a number of people didn't like)
[20:37] <cjwatson> that seems a bit like an arms race to me, TBH
[20:37] <cjwatson> we could perhaps adjust sorting in tasksel
[20:37] <cjwatson> that's probably relatively simple, file a bug on Ubuntu tasksel if you want that
[20:37] <ScottK> Perhaps, but ssh-server is a bit unique in that we (fsvo we) don't want it by default, but if it's forgotten it can leave people without access to a server.
[20:37] <kirkland> ScottK: mathiaz suggested the 2-stage-installer in this session;  that was never my goal in this spec;  if we want a 2-stage server installer, that probably deserves a new spec of its own
[20:38] <ScottK> I don't know of any other packages that fit those criteria.
[20:38] <ScottK> kirkland: OK. I'm mixing the sessions then.
[20:38] <kirkland> ScottK: no, it was the same session;  your memory is correct
[20:38] <ScottK> Oh.  OK.
[20:39] <cjwatson> sorting> I meant just putting openssh-server at the top of the list so that it isn't so easily forgotten
[20:40] <kirkland> cjwatson: I'm arguing that a server isn't much of a modern server without SSH, in the real world;  we have made an exception for avahi on the desktop in the interest of usability;  I proposed in this session that we pursue a similar exception for SSH on the Ubuntu Server as "the critical application required to get to your server *after* you've installed the darn thing"
[20:40] <kirkland> cjwatson: we do, by the way, install SSH and open a host of ports for Eucalyptus, if you click, "Install UEC"
[20:40] <cjwatson> oh damn, I really didn't want to get into this now.  IMO the security team has had their say on this and that carries a lot of weight for me
[20:41] <ScottK> kirkland: WRT avahi, I'd argue that was an error even for desktops and not a great precedent to follow for servers.
[20:41] <cjwatson> UEC is a very special case
[20:41] <soren> I wish we some day will actually decide to do to Ubuntu Server what we did to Ubuntu Desktop.
[20:41] <kirkland> cjwatson: yup, they have;  which is why i just killed the spec
[20:41] <ScottK> cjwatson: We can defer the discussion to a later time.
[20:41] <kirkland> soren: make it friendly and usable?
[20:41] <soren> kirkland: Yes.
[20:42] <cjwatson> anyway, this discussion implies to me that at least we ought to change the sorting.  that's easy to do.  can somebody please file a bug on Ubuntu tasksel for that?
[20:42] <soren> I'm sure lots of then existing linux users disagreed with what we did to Ubuntu on the desktop.
[20:42] <ScottK> Sure.
[20:43] <soren> Yet we decided to actually change things and be bold.
[20:43] <soren> It worked out pretty darned well, IMO.
[20:44] <ScottK> cjwatson: Bug #670611
[20:44] <cjwatson> thanks
[20:44] <ScottK> You're welcome.
[20:44] <soren> Have a "I'm new to this, please help me along a bit" option on the boot splash next to a "I don't care about your new fangled stuff. I'm old school" option would be fine.
[20:44] <cjwatson> soren: I think the pool of available Linux users who weren't being reached was a great deal larger on the desktop
[20:45] <cjwatson> and the risk of pissing off established people rather smaller
[20:45] <kirkland> soren: https://blueprints.launchpad.net/ubuntu/+spec/packageselection-server-n-install-flavors <--- that's what i was suggesting there, two options in the splash menu, one ultra-minimal, the other "deluxe"
[20:46] <kirkland> soren: ultra-minimal geared at old school admins who want to apt-get install from a base install;  deluxe adding a lot more bells and whistles, friendlies, helpers and niceties
[20:47] <soren> cjwatson: A hypothesis that has yet to be tested properly.
[20:47] <soren> kirkland: Look through the ubutnu-server ml archives and you will see lots of long, long, long e-mails about similar things.
[20:47] <cjwatson> the idea that I'll survive if I jump out of Millbank is also a hypothesis that has yet to be tested properly, but I'm not really keen to commit to it. :-)
[20:48] <cjwatson> and BTW I think the risks associated with giving people unfamiliar with Linux an SSH server are rather greater than the risks of giving uneducated desktop users an open Avahi port; I disagree that those two are remotely similar
[20:49] <kirkland> cjwatson: the similarity is that an exception was evaluated and granted
[20:49] <cjwatson> except in this case it was evaluated and denied ...
[20:49] <kirkland> for open network port, by default
[20:49] <cjwatson> (for server, not for UEC - UEC is wildly different)
[20:54] <JanC> IMO server deluxe should have SSH running by default, with ufw connect-rate-limiting port 22 by default too of course  ;)
[20:54] <soren> I'm not completely decided on the ssh-by-default question.  It was just an example of "hey, let's try to actually change something" that was thwarted by "no, that's not how we did it 10 years ago, why should we do it now?" sort of arguments.
[20:55] <ScottK> soren: I don't think that's what the argument against it was at all and to characterize it as such is unfair.  I could equally accurately characterize those in favor arguing that only usability matters and security is irrelevant.  I don't think either is true.
[20:56] <CarlFK> where is the server version of http://archive.ubuntu.com/ubuntu/dists/maverick/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/
[20:56] <soren> ScottK: Sorry, I wasn't in the session at UDS, but it sounds to me to have been suggested as part of a set of changes that were rejected wholesale with those sorts of arguments.
[20:56] <soren> ScottK: If that's not the case... good! It's tiring.
[20:57] <ScottK> soren: I think it was more nuanced than that.  I thought adding a question to the installer was a reasonable compromise as it would ~cure it being forgotten.
[20:57] <soren> Boot splash.
[20:58] <soren> "Yes, I'm in favour of shininess" mode vs "Stubborn, old curmudgeon" mode. Right there.
[20:58] <ScottK> Server boot experience needs work.  Not sure we got an actual spec on it though.
[20:59] <soren> I have plenty of situations where I'd choose the latter, don't get me wrong.
[20:59] <soren> ScottK: Not recently.
[20:59] <soren> It got old suggesting the same stuff over and over.
[20:59]  * soren stops ranting for the day
[20:59] <soren> On this subject, at least.
[20:59] <ScottK> Where we landed in Lucid and mostly carried forward into Maverick pleases approximately no one for servers IMO.
[21:00] <ivoks> a lot of work
[21:00] <ScottK> A bit betwixt and between with a large sprinkling of unreliablity.
[21:00] <kirkland> cjwatson: on the user account creation page, we could ask for a Launchpad ID, noting that if a) you have an LP ID, and b) you have a public SSH key on LP, and c) this machine is internet connected, then this machine would install SSH on the system, with SSH key auth only, and import your ssh key
[21:00] <ivoks> install-over-ipmi is unusable cause of all those flashy things
[21:01] <kirkland> cjwatson: using ssh-import-id to securely retrieve said keys
[21:03] <ScottK> kirkland: Doesn't that lean into the risk of being perceived as requiring registration?  IIRC robbiew said no on anything that did that?
[21:04]  * kirkland consider jumping out of cjwatson's window to test his hypothesis for him
[21:05] <kirkland> ScottK: it's totally opt-in;  nothing required;  just type in a URL in that field where your pubkey can be found, or for convenience, an easy to remember LP id
[21:05] <ivoks> do not connect it to LP by default
[21:05] <ivoks> that's a killer feature for ubuntu server, feature that will kill it
[21:05] <kirkland> ScottK: to prevent MiM attack, you'd need SSL and a good cert, mind you
[21:06]  * robbiew reads up
[21:06] <ScottK> kirkland: I think that sounds reasonable.  I'd also like it to take a USB stick.
[21:06] <ScottK> (as in my case SSL cert validation is rather difficult to arrange during install)
[21:08] <owh> I've just had a router decide for itself that when I told it that all traffic from a particular host needed to go to a particular WAN port, I was just kidding. Is there a way that I can force my server to cease sending traffic if it's going out via the wrong link?
[21:08] <kirkland> ivoks: it's not required
[21:09] <ivoks> kirkland: i doubt many people will use it
[21:09] <ivoks> kirkland: it's like telling the LP that you are installing the server
[21:09] <ivoks> that's how people will see it
[21:09] <kirkland> ivoks: it's not at all like that
[21:09] <ivoks> i know
[21:10] <ivoks> but, that would be perception
[21:10] <ScottK> Give a USB stick option and I think it's fine.
[21:10] <ScottK> (with the LP/wherever your key is option too)
[21:10] <ivoks> leave an lp option, but don't isolate it
[21:11] <ivoks> instead of area for LP ID, put a single text area for everything
[21:11] <ivoks> lp:id or usb:file.name url:http://blablabla
[21:11] <ivoks> that way you'd get more usage of LP, imho
[21:12] <ScottK> And reduced risk of inference that LP was required.
[21:12] <ivoks> exactly
[21:13] <patdk-wk> why url:http:
[21:13] <ivoks> or http: ftp:
[21:13] <patdk-wk> url is http://...., or usb:filename...., ...
[21:13] <patdk-wk> I would see everyone screwing up if you had to type url before a url
[21:13] <ivoks> i agree
[21:14] <ivoks> it was just to make distinction
[21:53] <krycek_> any other solution like pfSense? pfSense project looks dead (more than an year in beta)
[21:53] <baggar11> krycek_: clearOS, zentyal
[21:56] <krycek_> which one do you use, baggar11 ?
[21:56] <baggar11> i use a hardware solution
[21:57]  * RoyK just uses core memory
[21:58] <RoyK> krycek_: pfsense works well, even if it's a year old
[21:59] <baggar11> there is also monowall too
[21:59] <krycek_> it's good to take a look in the others just to make sure
[22:00] <krycek_> i have to go now... thanks for all the tips
[22:49] <raubvogel> How is lvm autoloaded in 10.04?
[22:52] <mconigliaro> can anyone tell me whether do-release-upgrade will upgrade you to the next version or the latest version?
[22:52] <mconigliaro> i want to upgrade some machines from 9.10  to 10.04 LTS
[22:55] <raubvogel> mconigliaro, AFAIk to get to 10.10 you would need first to get to 10.04, so that should cover you.
[22:55] <mconigliaro> ok, cool
[22:55] <mconigliaro> raubvogel: thanks
[22:55] <raubvogel> Also, there is some setting to only use the LTS upgrades
[22:55] <mconigliaro> well, i guess i'll find out for sure in a second ;-)
[22:55] <mconigliaro> oh, thats interesting
[22:56] <mconigliaro> well, i mostly want to go to 10.04 just because i haven't gotten a chance to test 10.10 yet
[22:56] <mconigliaro> but that setting is something ill have to look into
[22:56] <raubvogel> edit /etc/update-manager/release-upgrades and set Prompt=lts
[22:56] <raubvogel> Stolen from https://help.ubuntu.com/community/LucidUpgrades
[22:57] <raubvogel> Just something to think about
[22:58] <mconigliaro> ah, perfect
[22:58] <mconigliaro> i see that's already set on my 10.04 machines
[22:58] <mconigliaro> thanks again
[22:58] <raubvogel> Cool
[23:21] <jeeves_moss> when running a cron job as a user, what would cause a premissions error when using wget?
[23:24] <ChmEarl> raubvogel, got answer about auto-lvm? dm-mod needs to be in /etc/initramfs-tools/modules
[23:25] <ChmEarl> raubvogel, rather make it dm_mod
[23:28] <ChmEarl> raubvogel, then of course, update-initramfs -u -k all
[23:44] <cjwatson> CarlFK: there's no separate server version - the installer has the same core
[23:45] <cjwatson> CarlFK: you could grab the server preseed file off the server CD
[23:46] <CarlFK> is this boot parameters?   "different Kernel options" somewhat described on https://help.ubuntu.com/10.10/serverguide/C/preparing-to-install.html#intro-server-differences
[23:47] <cjwatson> we use the generic kernel during installation on server too
[23:48] <cjwatson> differences are controlled by installer boot parameters, yes
[23:48] <CarlFK> thanks.  someone here was suggesting that there were different compile options. didn't sit well with me.
[23:49] <cjwatson> the kernel you get after installation is configured differently, certainly
[23:49] <cjwatson> I don't think I would characterise it as "different compile options" as such
[23:49] <cjwatson> (to me, that means compiler flags)
[23:50] <CarlFK> differently configured at boot time, right
[23:51] <CarlFK> um, it has been years. sense I compiled a kernel.. what does "make menu config" write the settings to?
[23:55] <cjwatson> CarlFK: .config
[23:56] <CarlFK> thats right.  so is that same or different for -server kernel?