[01:02] <uvirtbot`> New bug: #798844 in cloud-init "Chef integration" [Medium,Fix committed] https://launchpad.net/bugs/798844
[01:43] <philipballew> QUESTION: when installing ubuntu server, if i select ssh server during the instalation can i then after it installs un-plug it from my monitor hook it up to my cat5 and when still on the network ssh into it?
[01:44] <twb> If you install the network-console udeb such that you complete the installation over SSH, yes.
[01:44] <twb> If you mean you're picking "SSH Server" at the tasksel prompt, I'm not 100% sure, but I think the behaviour will be the same.
[01:45] <philipballew> i'd need to send the rsa cirtificts over the lan then after i finish twb
[01:45] <twb> Uh, you mean ssh-copy-id?
[01:46] <philipballew> yes, that
[01:46] <twb> By default sshd will allow password-based auth, so that will work.
[01:46] <philipballew> i can do that over ssh though
[01:46] <twb> Assuming you either assigned a root password or created a user with a password during the install process.
[01:47] <philipballew> i need to set up p.f. to still. need to think if 192.168.1.2 is good enough for the server
[01:48] <twb> Linux doesn't use pf
[01:48] <philipballew> port forwirding
[01:49] <twb> Oh.
[01:49] <philipballew> not packet filter
[01:49] <twb> Well, you should never use 192.168.1/24, .0/24, or 10.0.0.0/24
[01:49] <philipballew> i had a bsd server once, not bad
[01:49] <philipballew> i figured so, but why?
[01:49] <twb> Because everyone ELSE does that, and if you ever need to join two such LANs (e.g. VPN from one to the other), you will cry.
[01:50] <twb> Try echo 10.$((RANDOM%256)).$((RANDOM%256))/24
[01:50] <philipballew> i plan to use this server to connect to when i am at a college and their wirewalls are alloning me
[01:50] <philipballew> haha
[01:59] <twb> I don't know what "alloning" means.
[02:00] <Pici> 'allowing'
[02:00] <Pici> actually, that doesn't make sense either.
[02:09] <patdk-lap> twb, I would say, 10 < x < 250
[02:09] <patdk-lap> with routers using 192.168.0-3 being common
[02:09] <patdk-lap> also can't use 192.168.100, or 10.0.10 cause of modems
[02:10] <patdk-lap> or was it 10.1.10
[02:10] <twb> patdk-lap: that seems reasonable
[02:10] <airtonix> patdk-lap: wut?
[02:10] <patdk-lap> wut language is that from?
[02:11] <philipballew> twb, my keyboards messin with me. its allowing
[02:11] <airtonix> it's from the "you-talking-nonsense-and-i-need-clarification" language
[02:11] <patdk-lap> airtonix, go back to math class
 also can't use 192.168.100, or 10.0.10 cause of modems
[02:12] <patdk-lap> you have never used a dsl or cable modem?
[02:12] <airtonix> my modems must be awesome, because i have no problems using those networks
[02:12] <twb> patdk-lap: probably he is sensible and puts them in bridge mode
[02:13] <patdk-lap> can't put cable modem in bridge mode
[02:13] <DanaG> My modem takes only precisely 192.168.100.1.
[02:13] <airtonix> lol
[02:13] <DanaG> ANd it doesn't need to be specifically reachable, if you don't care about the status pages.
[02:13] <twb> patdk-lap: I guess
[02:13] <patdk-lap> danag, nope, I didn't say you couldn't use it
[02:13] <DanaG> 100.1 isn't routable, so the router passes it upstream, and the modem intercepts it.
[02:14] <airtonix> DanaG: the power of faith is all you need?
[02:14] <patdk-lap> I just said it's perferably if you didn't
[02:14] <patdk-lap> if you ever care you check your status
[02:14] <twb> DanaG: I *hate* that
[02:14] <DanaG> Or what's worse:
[02:14] <DanaG> Cable modems that have the status page actively DISABLED.
[02:14] <twb> "bridge" doesn't mean "bridge except for frames you feel like hijacking", you damn appliance
[02:14] <DanaG> By the ISP.
[02:15] <patdk-lap> I hate ones that have status page accessable only via java
[02:15] <patdk-lap> and have their snmp disabled
[02:15]  * patdk-lap notes comcast
[02:15] <DanaG> Say, I've never checked snmp on my cable modem.
[02:16] <patdk-lap> well, snmp only accessable via comcast tech's
[02:16] <DanaG> oh, and my mom's OfficeJet Pro crashes any time I enable my employer's management tool's "probe" feature on a computer at home.
[02:16] <DanaG> Mine is Charter, but a self-bought SB5100 or so.
[02:16] <DanaG> Charter doesn't seem to touch the firmware on it, but since it's a Motorola SIMILAR to what they support, it works.
[02:16] <patdk-lap> this is comcast business, you must use their supplied modem :(
[02:17] <DanaG> For a while, we had a Linksys one... it crashed all the time.  And Charter didn't offer the known-fixed firmware.
[02:17] <patdk-lap> atleast I get 120mbit downloads though
[02:17] <DanaG> They told ME to upgrade the firmware.
[02:17] <DanaG> Sure, just let me log into your servers.
[02:18] <DanaG> So anyway, Motorola modem + TomatoUSB router == rock-solid.  Once they changed out the rusted-out cable run from the street, that is.
[02:18] <patdk-lap> at home here, still don't have docsis2 :( my linksys modem has been reliable for the last 6 years though
[02:18] <patdk-lap> ya same here, had a break in the cabletv, they ran a new cable, been great
[02:19] <DanaG> We used to get 30% packet loss during rain, but they said, "oh, your signal is fine!" -- for years.
[02:19] <DanaG> And then when we got Charter Telephone, they were legally obliged to fix it.
[02:19] <patdk-lap> oh, mine went quickly
[02:19] <DanaG> And well whaddaya' know?  The cable running from the street was completely rusted out!
[02:19] <patdk-lap> in <3months I went from once a week drop for a few min, to >3hour drops per day
[02:32] <DanaG> Oh yeah, and our electrical boxes were below ground level, until a few months ago.
[02:32] <DanaG> Even our phone lines got crosstalk with neighbors.
[02:32] <DanaG> or so my parents say.
[02:33] <DanaG> I'm living at home, but rarely use the landline, even in non-rainy weather.
[02:33] <DanaG> So anyway, something slightly more on-topic: I gave the Broadcom 5723 another chance, and it seems reasonable after all.
[02:34] <DanaG> Versus this Intel, it came to about the same in iperf: http://www.newegg.com/Product/Product.aspx?Item=N82E16833106033
[02:39] <jaith> Can anyone tell me how I might discover for each of my installed packages whether it's main/restricted/universe/multiverse ?
[02:40] <smw> jaith, why would you need to do that?
[02:41] <jaith> smw: I'm hardening my server, which came with universe enabled
[02:41] <jaith> smw: given that universe packages are assembled by the community, I'm a bit concerned about security
[02:42] <smw> jaith, that is not going to protect you much...
[02:42] <smw> it seems like a bad idea.
[02:42] <smw> anyways, if it is a new install, it should have no universe packages, right?
[02:42] <jaith> smw: please elaborate.  how could checking on my installed packages not protect me much?
[02:42] <jaith> smw: that is precisely what I'm trying to sort out
[02:43] <jaith> smw: the default install has universe enabled in sources.list
[02:43] <smw> jaith, you know what is installed because you installed it, right?
[02:43] <smw> anything installed by default you kind of need to trust...
[02:43] <jaith> smw: i have not installed anything yet.  i instantiated a clean ubuntu 10.04 from an official ubuntu ami on amazon ec2
[02:43] <smw> or not trust the OS
[02:44] <jaith> smw: i tend to agree with you, but i need my server to be very secure.  let's say it's an academic argument.
[02:44] <smw> jaith, then checking what is installed in kind of pointless.
[02:44] <smw> the same company that puts ubuntu together makes the ubuntu amis
[02:45] <jaith> smw: yes I understand, but I would like to know which are main and which are universe, if only to keep an eye on them
[02:45] <jaith> smw: if all you want to do is discourage me from searching, then you're wasting your time :D
[02:45] <jaith> smw:  i do have another question you might be able to answer
[02:45] <smw> jaith, you do realize it is very difficult to add packages to universe, correct?
[02:45] <smw> fine, I will answer what I would od
[02:46] <smw> do*
[02:46] <jaith> smw: that may well be true, but searching where your packages are from should be quite easy.
[02:46] <smw> dpkg --get-selections for a list of packages
[02:46] <smw> awk out the package names
[02:46] <smw> loop over them with apt-cache policy
[02:46] <smw> jaith, it is not that easy. Ubuntu does not care where a package came from
[02:47] <smw> you need to work out where they are now and assume that is where they came from
[02:48] <jaith> smw: i'm hoping to avoid a package-by-package search when I have some 385 installed packages
[02:49] <smw> jaith, that is why you script it
[02:49] <smw> lol
[02:49]  * patdk-lap has all the packages he really needs, compiled himself in his own ppa
[02:50] <jaith> well here's a start
[02:50] <jaith> dpkg --get-selections | grep -oE '^[a-z\-]*\s'
[02:50]  * smw just trusts the people who put together the os
[02:50] <jaith> am i correct in thinking that will return installed packages?
[02:50] <patdk-lap> smw, I'm using newer versions than what is in the os, normally
[02:50] <smw> jaith, I would have just used awk... but whatever works for yo u :-)
[02:51] <smw> patdk-lap, cool
[02:51] <patdk-lap> get selections tells you nothing about where it came from, only what is installed
[02:51] <jaith> smw: i don't know the first thing about awk
[02:51] <patdk-lap> awk is like regex meet bash
[02:51] <smw> jaith, ok, it worked anyways :-)
[02:51] <jaith> yes so know i need to pipe that to some other command which tells me main/restricted/universe/multiverse
[02:51] <jaith> any hints most welcome :D
[02:52] <smw> jaith, you are taking this way too far
[02:52] <smw> lol
[02:52] <jaith> smw: i'm OCD like that
[02:52] <smw> jaith, apt-cache policy
[02:52] <smw> jaith, I would not recommend a bank be this crazy
[02:52] <smw> lol
[02:53] <jaith> smw: that's the funny thing, the site i'm trying to secure processes credit cards.  our sshd binary is compromised.
[02:53] <smw> why is your binary compromised?
[02:53] <jaith> smw: ergo, paranoia
[02:53] <jaith> smw: hang on...i go get lovely ascii art for you
[02:54] <smw> jaith, were you recently hacked or something?
[02:54] <patdk-lap> heh, I doubt it was really sshd, sounds like you where rooted
[02:54] <jaith> smw: YES
[02:54] <twb> smw: he's probably a rent-a-sysadmin
[02:54] <patdk-lap> normally that comes from bad website programming
[02:54] <patdk-lap> plus running non-patched software
[02:54] <jaith> twb: i'm php programmer.  not sysadmin :(
[02:55] <twb> smw: $bank was running, say, Fedora Core 3 or Gentoo because $some_guy set it up, and AFTER they're broken into, jaith is called in to fix it
[02:55] <jaith> patdk-lap: curious, how does bad php lead to rooting?
[02:55] <patdk-lap> jaith, did I say that?
[02:55] <smw> twb, nope, even better. He is a web programmer...
[02:55] <patdk-lap> I said it lets one in, so that it can be rooted
[02:55] <jaith> smw: no, i wrote the code nearly 10 years ago when i knew almost nothing
[02:55] <patdk-lap> if you don't update your system often enough
[02:55] <twb> patdk-lap: better than running patched software, is not running any software at all
[02:56] <twb> e.g. no inetd beats xinetd
[02:56] <patdk-lap> twb, and better than that, is not running a server :)
[02:56] <jaith> this is a blast.  show-offs purporting to help, trying to talk me out of well-justified paranoia. wheeee!
[02:56] <patdk-lap> jaith, no
[02:56] <patdk-lap> we are saying the system has been rooted
[02:56] <jaith> agreed
[02:56] <jaith> that is why new system being set up
[02:57] <patdk-lap> there is no point for paranoia
[02:57] <patdk-lap> cause you need a reinstall
[02:57] <smw> twb, I was a kid in highschool who like to do jobs on odesk for fun. I fixed a small (but profitable) site that was having problems with uptime. I have a full time job now...
[02:57] <twb> jaith: if you are paranoid you would not have any PHP there in the first place
[02:57] <patdk-lap> then a code review of the website is probably in order
[02:57] <jaith> and that is why i'm trying to examine initial setup to make sure all the signatures check out and no funny stuff
[02:57] <jaith> new server is Ubuntu 10.04 instance running on EC2
[02:58] <smw> jaith, you are being beyond paranoid.
[02:58] <jaith> security currently locked down.  only ssh port permitted, public cert auth required, and ssh access limited to my IP block
[02:58] <patdk-lap> your going go that paranoid AND use ec2?
[02:58] <smw> patdk-lap, ec2 is secure...
[02:58] <jaith> *sigh*
[02:58] <twb> ahaha
[02:59] <twb> jaith: "only ssh port" -- so http is currently blocked?
[02:59] <patdk-lap> smw, I won't meantion my root issues with ec2
[02:59] <jaith> <<<suddenly realizes he's been cornered by griefers >>>
[02:59] <jaith> twb: yes until i get it set up :D
[02:59] <smw> patdk-lap, I would like to hear them. :-)
[02:59] <twb> Anyway, if the sshd binary is compromised, you might as well do a full reinstall.
[02:59] <patdk-lap> check channel logs from november :) about the 18th
[03:00] <jaith> personally, i am wondering why it's so hard to sort my installed packages by main/universe/whatever
[03:00] <twb> jaith: because Canonical don't want to make it obvious that their *supported* package list is fuck-all
[03:00] <smw> patdk-lap, my entire company runs in amazon ec2
[03:00] <patdk-lap> jaith, cause if it was installed, it was assumed you already checked that
[03:00] <twb> jaith: but you can check a specific package with "apt-cache policy foo"
[03:00] <jaith> twb: this is an entirely different machine, hosted on an entirely different network.  i am no longer trying to do any sort of forensics on the old machine
[03:00] <smw> patdk-lap, if used right, there are no security issues...
[03:00] <twb> jaith: OK
[03:00] <jaith> twb: THANK YOU
[03:01] <patdk-lap> smw, if used right, security patchs wouldn't accidentally be left out of the ec2 kernel :)
[03:01] <twb> jaith: I run http://paste.debian.net/123601/ from cron.monthly on Lucid machines to check for unsupported packages
[03:01] <twb> jaith: expect there to be half a dozen, even on a relatively small system :-/
[03:01] <smw> patdk-lap, is ubuntu bad at including security updates in their kernel? lol
[03:02] <patdk-lap> smw only if it isn't a clean patch :)
[03:03] <jaith> this is a *brand spanking new compute instance* created from one of the "official" AMIs listed on the ubuntu site
[03:03] <jaith> i haven't installed a single thing myself yet
[03:04] <jaith> before i bother, want to check out existing installed packages (of which there are some 385)
[03:04] <patdk-lap> seems like a lot of packages
[03:04] <jaith> i agree
[03:04] <patdk-lap> but I always install minimal system though
[03:05] <twb> smw: define "bad'
[03:05] <smw> jaith, there are much more important places to use your security efforts.
[03:05] <smw> most of them involve humans and access
[03:06] <patdk-lap> humans and cgi's :)
[03:06] <jaith> smw: there is only one website running on this machine.  i am the only developer.
[03:06] <jaith> no cgi access, etc.
[03:06] <patdk-lap> php is cgi access
[03:06] <jaith> agreed that webstack and php files are probably least safe part
[03:07] <twb> jaith: if you do an expert install, you can opt-out of restricted/universe/multiverse/backports being included in source.list to begin with.
[03:07] <patdk-lap> twb, he did ec2 install
[03:07] <jaith> twb: i have no such choice with EC2 without creating my own AMI which, sadly, is beyond my skillset
[03:07] <twb> Well, you might as well bend over and give amazon a free rein, then.
[03:08] <smw> jaith, you are looking in the wrong places to deal with security concerns.
[03:09] <smw> and yes... php can cause serious problems if setup wrong :-\
[03:09] <smw> there are new bugs for it way too often
[03:11] <jaith> let's assume, just for a moment, that this was an academic discussion and alllllll i wanted to do was determine the source of my installed packages.
[03:11] <jaith> like, let's make-believe and say i'm a security researcher or investigative blogger out to snitch on canonical, hm?
[03:11] <jaith> c'mon it'll be fun!
[03:11] <smw> jaith, I would say that was pretty stupid.
[03:12] <jaith> smw: and I would say you are decidedly unhelpful
[03:15] <jaith> The ASCII art as promised:
[03:15] <jaith>   _________________________
[03:16] <jaith>     ||   ||     ||   ||
[03:16] <jaith>     ||   ||, , ,||   ||
[03:16] <jaith>     ||  (||/|/(/||/  ||    Don`t
[03:16] <jaith>     ||  ||| _'_`|||  ||    Be
[03:16] <jaith>     ||   || o o ||   ||    Mad
[03:16] <jaith>     ||  (||  - `||)  ||-------AAAAAAAAAAAAAAAAAAAA
[03:16] <jaith>     ||   ||  =  ||   ||
[03:16] <jaith> MFU ||   ||(___)||   ||
[03:16] <jaith>     ||___||) , (||___||    UstupidMF ownz you!
[03:16] <jaith>    (||---||-)_(-||---||)  (say something,please talk to me
[03:16] <twb> !ops
[03:16] <jaith>   ( ||--_||_____||_--|| )
[03:16] <jaith>  (_(||)-|  (%d)   |-(||)_)
[03:16] <smw> wtf?
[03:17] <twb> smw: I think he's saying sshd emits that as motd or something
[03:18] <smw> ah
[03:18] <smw> twb, his "sshd binary was hacked"
[03:18] <smw> twb, now I see how he came to that conclusion...
[03:18] <jaith> if you use 'strings' command on the sshd binary , it's in the binary somewhere
[03:19] <smw> jaith, ok...
[03:19] <twb> jaith: use a pastebin next time, please
[03:20] <jaith> additionally, a check of one's package checksums calls out ssh
[03:20] <jaith> twb: sorry
[03:20] <smw> jaith, but you are still being unreasonably paranoid. You are acting like a programmer trying way too hard to optimize one line of addition that he does not realize he could index a column in a database and increase speed 1000 fold.
[03:22] <twb> I don't understand what attack profile he's trying to guard against, nor how he's trying to go about it.
[03:22] <twb> All I've heard so far is he's using a stock amazone base image, with a default-deny firewall.
[03:23] <smw> twb, and he is afraid of the people who made the image (canonical) and not the people who will try to hack his server.
[03:23] <jaith> and you guys won't answer a simple question, preferring instead to wax philosophical about how I'm "doing it wrong"
[03:24] <jaith> believe me, i'd be happy to get advice on keeping the web stack safe when i get there
[03:24] <twb> Well, I wouldn't trust foo.img to be a clean debootstrap of signed packages from archive.ubuntu.com
[03:24] <twb> Certainly I think it's more productive to worry about his shitty PHP app
[03:24] <twb> Since merely by being PHP means it's good odds that's how they got into the last system.
[03:25] <smw> twb, that is not very constructive either ;-)
[03:25] <jaith> it's most definitely not constructive.  he's stroking his e-peen
[03:26] <jaith> here's the other nifty part:  if I can get a good, clean, baseline image, i can re-use it
[03:26] <jaith> the question is:  how clean is it?
[03:26] <jaith> a fair question, wouldn't you agree?
[03:26] <jaith> EC2 makes it very easy to store a machine image and re-use it later
[03:26] <smw> jaith, I am going to give up and just say you are trying to prevent the wrong type of attack.
[03:27] <jaith> smw: give up?  you haven't even tried to answer my question.
[03:27] <jaith> smw: you've tried to tell me "i'm doing it wrong"
[03:28] <smw> jaith, in the beginning I explained (in not much detail) how I would try to solve the problem you gave me (not the one you actually need to solve.)
[03:28] <jaith> smw: that's true.  and i've made progress.
[03:28] <jaith> dpkg --get-selections | grep -oE '^[\.a-z0-9\-]+\s' | wc -l
[03:28] <jaith> returns exactly the same line count as dpkg --get-selections | wc -l
[03:30] <smw> jaith, you need to trust something to start with. Canonical's image is a good choice.
[03:30] <jaith> I would also draw everyone's attention to this snippet from the ubuntu site: "The universe component is a snapshot of the free, open-source, and Linux world. It houses almost every piece of open-source software, all built from a range of public sources. Canonical does not provide a guarantee of regular security updates for software in the universe component, but will provide these where they...
[03:30] <jaith> ...are made available by the community. Users should understand the risk inherent in using these packages."
[03:31] <smw> not guaranteeing security updates != untrusted packages from the "community"
[03:32] <jaith> yes but excluding *unnecessary* packages that may cease to be updated despite security holes is a valid concern
[03:33] <jaith> i can only think of two reasons why i'm not getting help here: 1) we are afraid of our faith in ubuntu being shaken or 2) we just don't know how
[03:33] <jaith> oh and possibly 3) disaffected griefers don't really have any interest in helping irritating noob
[03:35] <jaith> so maybe I'll try another question:  will apt complain when a package or dependency package which is a) unsigned or b) signed by someone other than one of my very own apt keys?
[03:37] <patdk-lap> I'm sorry, due to the lack of faith you have in this channel, I can no longer help you
[03:37] <patdk-lap> Its bad form to insult people, and continue to ask for help
[03:39] <jaith> i apologize.  i didn't mean to insult anyone.  I was just hoping to get the answer to a specific question.  smw has in fact helped some. i do believe it's fair to say my original question has gone unanswered.
[03:39] <jaith> thanks for your help anyway
[03:57] <jaith> fyi, this appears to be working approximately
[03:57] <jaith> dpkg --get-selections | grep -oE '^[+\.a-z0-9\-]+\s' | xargs apt-cache policy
[03:58] <jaith> some minor additional filtering results in 575 lines instead of the 383 i might expect -- this because the apt-cache policy command sometimes returns two lines for a given package
[03:59] <jaith> dpkg --get-selections | grep -oE '^[+\.a-z0-9\-]+\s' | xargs apt-cache policy | grep -E ' (lucid.*/[a-z]+)'
[03:59] <jaith> interestingly, not one line appears to reference 'universe'
[03:59] <jaith> dpkg --get-selections | grep -oE '^[+\.a-z0-9\-]+\s' | xargs apt-cache policy | grep -E ' (lucid.*/[a-z]+)' | grep universe | wc -l
[04:04] <smw> jaith, I fail to see how that is surprising...
[04:20] <justin__234> gday blokes
[04:20] <justin__234> wikipedia runs on ubuntu server!
[04:20] <twb> I can't fix that
[04:55] <Tommy_nmw> good to see all ppl in this channel
[05:01] <DanaG> bug 802464
[05:01] <uvirtbot`> Launchpad bug 802464 in linux "linux: 2.6.38-10.46 -proposed tracker" [Medium,Fix released] https://launchpad.net/bugs/802464
[05:17] <Tommy_nmw> is there anyone who is using opensource inventory software for non-profit?
[05:17] <twb> Sorry, I only turn a profit
[05:18] <twb> Oh, sorry, misread
[05:18] <twb> inventory software as in asset tracking?
[05:19] <Tommy_nmw> twb: yes. it is for asset tracking but not tracking drivers or software .Just physical assets like toners or printer cartridges or CDs /DVDs in and out
[05:19] <twb> Not sure
[05:20] <jmarsden> Tommy_nmw: I have not used it, but maybe http://asset-tracker.sourceforge.net/ will do what you need?
[05:21] <twb> https://secure.wikimedia.org/wikipedia/en/wiki/Fixed_assets_management appears to be what you're thinking of
[05:21] <twb> The ERP solutions I've dealt with were scary as all hell
[05:22] <Tommy_nmw> jmarsden: I have checked it out. design is not cool. I am inspired by openERP. but it is linked with accouting and sales module. I just want stand alone inventory stock control module for nonprofit use.
[05:23] <twb> Tommy_nmw: my gut tells me you aren't gonna get that
[05:23] <jmarsden> Tommy_nmw: If you know enough to criticize software design... write your own app to do what you need, then it will be designed perfectly for your needs :)
[05:24] <twb> Tommy_nmw: that you'll either have to pick a crappy low-budget standalone implementation, or to delpoy a heavyweight do-everything one and just try to ignore the other modules
[05:26] <Tommy_nmw> twb: no Free of charge solution ??
[05:26] <Tommy_nmw> twb:  as we have no budget
[05:27] <twb> Tommy_nmw: both those cases are assuming FOSS
[05:28] <twb> Which isn't necessarily free-of-charge -- e.g. I'm assuming your time has value
[05:30] <Tommy_nmw> twb: I can use only stock inventory only module. but they are linked with other accounting entries. so without entering those values, my records won't be complete to proceed
[05:31] <twb> Tommy_nmw: bummer
[05:32] <Tommy_nmw> twb: it depends on one's view
[06:02] <lickalott> guys...i'm trying to change my default ssh port.  I've changed it in /etc/ssh/sshd_config but when i try to restart the process is kicks out - could not load host key: for rsa and dsa keys
[06:02] <lickalott> anything i can try before a restart?
[06:11] <twb> ssh won't start if you don't have host keys
[06:11] <twb> "sudo dpkg-reconfigure openssh-server" to create them if they are mising
[06:16] <lickalott> *love
[06:16] <lickalott> worked!
[06:17] <lickalott> ^5'S TWB
[06:17] <uvirtbot`> lickalott: Error: "5'S" is not a valid command.
[06:18] <twb> uvirtbot`: die
[06:18] <uvirtbot`> twb: Error: "die" is not a valid command.
[06:20] <lickalott> lol
[06:22] <twb> lickalott: btw, if this happened because you cloned an image, whoever built the image did that deliberately to prevent MITM attacks, and just forgot to tell you / automate the dpkg-reconfigure call
[06:26] <Tommy_nmw> hi
[07:21] <Tommy_nmw> ih
[07:21] <Tommy_nmw> hi
[07:22] <Tommy_nmw> does somebody know how to get proxy config screen during installation ?
[07:24] <Tommy_nmw> http://dropbox.unl.edu/uploads/20110804/68422200eb6ca9d2/how%20to%20http%20proxy.png
[07:28] <twb> Tommy_nmw: uh, it asks you when you configure the mirror to use
[07:29] <twb> maybe you need priority=low; I don't normally do default priority installs
[07:29] <Tommy_nmw> twb: now I am inside ubuntu server so how can I get that screen back to put some proxy settings to use internet
[07:29] <twb> If you're installing hardy, ISTR it "helpfully" skipped the proxy step if it decided it could get out without asking
[07:29] <Tommy_nmw> ?
[07:30] <twb> Tommy_nmw: oh, right
[07:30] <twb> Tommy_nmw: /etc/apt/apt.conf, and/or $http_proxy
[07:30] <twb> acquire::http::Proxy "http://proxy:8080/"; IIRC
[09:12] <stylewalka> I was just trying to upgrade to maverick, but got a couple of error messages regarding setting up procps; could anyone helpout?
[09:23] <SimpleAnecdote> Hi guys. Trying to sort out iptables but the server outputs "-bash: iptables: command not found - any thoughts/
[09:23] <SimpleAnecdote> ?
[09:26] <greppy> SimpleAnecdote: check your path, iptables is usually in /usr/sbin
[09:27] <greppy> sorry, /sbin, not /usr/sbin
[09:27] <dark-sun> hi people
[09:27] <SimpleAnecdote> greppy - cheers. Apparently I didn't have iptables installed!
[09:28] <SimpleAnecdote> path sorts out automatically on Ubuntu. It's CentOS and other REHL that have the path issue I think
[09:28] <SimpleAnecdote> I have not touched a command line in a while
[09:29] <greppy> it depends on your environment :)
[09:30] <SimpleAnecdote> greppy: I am over my head with these iptables. I wanted to access them because webmin did not respond via remote browser. But internally, it fetched index.html... Any ideas?
[09:35] <greppy> is webmin listening on the external interface?  ( keep in mind webmin is pretty much app non grata on ubuntu )
[09:35] <SimpleAnecdote> greppy: really? I didn't know that
[09:35] <SimpleAnecdote> I just hate CentOS so much...
[09:36] <SimpleAnecdote> What GUI control panel do people use on Ubuntu? cPanel only?
[09:38] <greppy> I don't know, I'm a cli junky :(
[09:39] <greppy> I use froxlor for webhosting, but the rest of the box is managed from the cli.
[09:39] <SimpleAnecdote> that's awesome. I fear I am not a savvy enough person to CLI my way through managing the box
[09:39] <SimpleAnecdote> I had to google VIM commands not 10 minutes ago!
[09:40] <greppy> :)
[09:41] <greppy> another option may be to use nano or joe, which can be a little easier to use, joe can use wordstar keybindings if you know them.
[09:41] <SimpleAnecdote> VIM is fine. I've used it in the past (but long long long ago). Once I have the cheatsheet open in the browser, it's pretty easy
[09:42] <SimpleAnecdote> I have no idea how to sort out this webmin crap
[09:42] <greppy> what are you trying to do with webmin?
[09:43] <SimpleAnecdote> get it to work ;P
[09:43] <SimpleAnecdote> trying to access it via browser results in 'Page not found'
[09:44] <Tommy_nmw> hello everyone!! I have a question about  installation step in phpMyadmin. can anyone help  me?
[09:45] <SimpleAnecdote> however, wget https://localhost:10000 --no-check-certificate fetches index.html properly
[09:45] <SimpleAnecdote> just a remote browser problem
[09:45] <SimpleAnecdote> Tommy_nmw: what's the question
[09:46] <Tommy_nmw> SimpleAnecdote: I am now being asked "configure database for phpmyadmin with dbconfigure-common? As I have no idea to create database now, Can I say NO ? and later , how can I get that screen back?
[09:47] <SimpleAnecdote> Tommy_nmw: Accept dbconfigure-common
[09:47] <Tommy_nmw> SimpleAnecdote: http://dropbox.unl.edu/uploads/20110804/0b61b8c21d4405e0/IMG_0743.JPG
[09:47] <SimpleAnecdote> it will create it automatically for you
[09:47] <Tommy_nmw> SimpleAnecdote: if the database name or configuration is not matched with the application I would use in future, what do I do?
[09:47] <Tommy_nmw> SimpleAnecdote: I am not smart at DB related
[09:49] <SimpleAnecdote> Tommy_nmw: this is not a database for any application. This is a database for phpmyadmin to use for some operations. Just accept dbconfigure-common, and then (once you've configured apache to redirect to it) go to http://yourhostname.exi/phpmyadmin
[09:49] <SimpleAnecdote> you will be able to create as many DBs as you want
[09:49] <SimpleAnecdote> under any name
[09:49] <SimpleAnecdote> and manage them easily via phpmyadmin
[09:49] <greppy> SimpleAnecdote: check the config, wherever webmin sticks it, and make sure that it is setup to listen on your network interface.
[09:50] <greppy> SimpleAnecdote: another option would be to use ssh to port forward and get access that way.
[09:50] <SimpleAnecdote> greppy: I am on SSH right now... I have NO GUI at the moment for anything
[09:51] <SimpleAnecdote> I've been installing my machine via SSH
[09:51] <SimpleAnecdote> I've put this command in: iptables -I INPUT 1 -p tcp --dport 10000 -j ACCEPT
[09:52] <Tommy_nmw> SimpleAnecdote: thanks bro. done
[09:52] <SimpleAnecdote> Tommy_nmw: no problems. If you have any other questions - just ask
[09:53] <SimpleAnecdote> you might want to try php channels though ;P
[09:53] <greppy> SimpleAnecdote: if you didn't have iptables installed before, that shouldn't be the problem.
[09:53] <greppy> what happens when you try to telnet to port 10000 from another machine?
[09:54] <SimpleAnecdote> greppy: I haven't tried
[09:54] <Tommy_nmw> SimpleAnecdote: I am now chatting from Windows XP , ubuntuserver is by my side.  in the same network.. I would like to know how can I log in to phpmyadmin from Windows XP browser
[09:55] <SimpleAnecdote> Tommy_nmw: Put this "Include /etc/phpmyadmin/apache.conf" (without quotation marks) in /etc/apache2/apache2.conf (at the end of the file)
[09:56] <Tommy_nmw> now I got it with IP address. but I dont know what is username for login
[09:56] <SimpleAnecdote> Tommy_nmw: Once you do that, from the XP machine - just open browser, type in ubuntu http://ip/phpmyadmin
[09:57] <SimpleAnecdote> google default phpmyadmin user/pass for your installation. I believe it should be your MySQL root user
[09:57] <Tommy_nmw> SimpleAnecdote: I now can see log in page as you said. but I do not know what username it is. I was asked only for password during installation
[09:57] <SimpleAnecdote> Tommy_nmw: oh, try 'admin' or 'root
[09:57] <SimpleAnecdote> '
[09:57] <dark-sun> I'm about to buy a server, is it a good idea to assemble it instead of buying from HP?
[09:57] <Tommy_nmw> SimpleAnecdote: why are you so brilliant? It works now
[09:58] <SimpleAnecdote> Tommy_nmw: I am not. I have just done it loads of times before.
[09:59] <SimpleAnecdote> greppy: I don't really know what to do then. The connection is not getting through
[09:59] <Tommy_nmw> SimpleAnecdote: btw, I would like to know how I can connect to that server with domain name instead of http://ipaddress/phpmyadmin.
[09:59] <SimpleAnecdote> Tommy_nmw: you need to configure DNS.
[09:59] <Tommy_nmw> SimpleAnecdote: I am very new to that setup. some said http://httpd.apache.org/docs/2.0/vhosts/  but I don't understand them
[10:00] <Tommy_nmw> SimpleAnecdote: how to ?
[10:03] <SimpleAnecdote> Tommy_nmw: DNS is a bit complicated. If you're using your own machine you need to configure your own name servers - google that as I will be no help with that. If you're using a proper host - just ask them for their nameservers and then redirect your bought domain to those name servers
[10:06] <Tommy_nmw> SimpleAnecdote: Dear bro, the ubuntu server is configured name server entry under /etc/network/interfaces. so I could install phpmyadmin from internet. do I also need to create/configure  BIND to turn it into  DNS server?
[10:08] <SimpleAnecdote> You'll need BIND but as I've said - I am no help here. I know the principles, but I've never configured my own nameservers. I can tell you that GUI control panels like DirectAdmin/Kloxo/cPanel/Plesk might make it easier for newbies like us.
[10:08] <SimpleAnecdote> But Kloxo is annoying
[10:08] <SimpleAnecdote> And I believe the others cost money
[10:08] <SimpleAnecdote> Googling the subject might yield much better results than my arbitrary advice ;P
[10:35] <stylewalka> I was just trying to upgrade to maverick, but got a couple of error messages regarding setting up procps; could anyone helpout?
[10:40] <greppy> stylewalka: a link to a pastebin of the errors would probably be a good start
[11:17] <weeman2> g
[11:41] <stylewalka> [/sty
[11:49] <stylewalka> I was just trying to upgrade to maverick, but got a couple of error messages regarding setting up procps; could anyone helpout? aptitude safe-upgrade results in http://paste.debian.net/123650; thanks
[12:51] <uvirtbot`> New bug: #814058 in minicom (universe) "[#313217] runscript crash when using environment variable in script" [Undecided,New] https://launchpad.net/bugs/814058
[12:52] <lynxman> smoser: ping
[12:54] <smoser> here
[12:55] <lynxman> smoser: question about cloud-init for you
[12:55] <lynxman> smoser: I'm trying to implement the new certificate method for mcollective in the plugin
[12:55] <lynxman> smoser: problem as always, there's a private key flying over :D
[12:55] <lynxman> smoser: have you given more thought about this recurrent issue?
[12:57] <smoser> lynxman, recurrent issue
[12:58] <smoser> i  might have missed a message. what is that?
[13:01] <lynxman> smoser: trying to pass certs through cloud-init
[13:01] <lynxman> smoser: maybe it's recurrent just for me, since I met this issue twice
[13:02] <smoser> you mean the general issue of wanting to pass potentially sensitive data to the instance?
[13:03] <lynxman> smoser: yes :)
[13:03] <smoser> i have 2 thoughts
[13:03] <smoser> 1 works now
[13:04] <smoser> a.) use expiring s3 urls (or some other one-time use url) and #include
[13:04] <smoser> b.) implement some mechanism to have cloud-init wait on a volume, attach volume, take data, detach volume
[13:05] <lynxman> smoser: hmm I see
[13:06] <smoser> lynxman, i would be interested in you testing 'a' and seeing how it works. covering second boots and such.
[13:06] <smoser> maybe there would be a need for '#include-once' or some other mechanism that would say "this is only going to be there one time, don't fail on subsequent attempts at it"
[13:07] <lynxman> smoser: sounds like the best plan so far
[13:07] <lynxman> smoser: or silently fail if the cert is already in place
[13:07] <lynxman> smoser: it's an indirect include-once
[13:08] <smoser> right. on the server side. but for s3 expiring urls, i think it would 404
[13:08] <smoser> and cloud-init might get crabby about that
[13:08] <lynxman> smoser: not if we use httplib2 right, do a try catch and such
[13:09] <smoser> #include is just using urllib.urlopen.read()
[13:09] <smoser> just because it is.
[13:09] <smoser> but yes, the right thing would be to be smarter there.
[13:10] <smoser> patches are welcom, lynxman.
[13:10] <smoser> but i would think i would rather use urllib.urlib2 as i'm using that in othe rparts of the code.
[13:10] <lynxman> smoser: Yeah I think it's better to create the #include-once function
[13:10] <lynxman> smoser: to avoid breaking anything, and it's quite explicit as well, it'll silently not fail
[13:11] <lynxman> smoser: thanks for your thoughts :)
[13:45] <Ursinha> good morning :)
[13:47] <pmatulis> good morning
[13:56] <LyonJT> Hey all!
[13:59] <LyonJT> Is anyone here experienced with proftpd?
[14:01] <patdk-wk> proftpd is simple
[14:01] <patdk-wk> it also does some newish ftp stuff that confuses some ftp clients
[14:02] <LyonJT> I have installed its and changed the default port thats it at the moment
[14:02] <LyonJT> What else do i need to do because when a user is trying to login its hanging?
[14:03] <patdk-wk> nothing
[14:03] <patdk-wk> sounds like you have active port issues
[14:03] <LyonJT> Any idea why its not letting the user in?
[14:04] <patdk-wk> you sure it's not letting the user in
[14:04] <LyonJT> it hanging on listing directory
[14:04] <patdk-wk> or just failing on dir
[14:04] <patdk-wk> totally different issue
[14:04] <patdk-wk> well, fix your firewall
[14:04] <patdk-wk> or the users firewall
[14:04] <LyonJT> is that what is making it fail on listing directory?
[14:04] <patdk-wk> unable to make a connection
[14:04] <LyonJT> I see and this could be the firewall causing it?
[14:05] <patdk-wk> yes
[14:05] <LyonJT> okay let me check that out!
[14:05] <patdk-wk> normally firewalls attempt to fix this for you
[14:05] <LyonJT> Thanks buddy!
[14:05] <patdk-wk> but you changed the default port, so it isn't helping now
[14:06] <LyonJT> tcp or udp?
[14:06] <LyonJT> or both?
[14:40] <Nonox> hi there!
[14:42] <Nonox> I'm using Amazon EC2 and I have a problem, can anyone help me?
[14:43] <hallyn> list the problem
[14:43] <Nonox> after using the command ec2-modify-instance-attribute (micro to large), i lost the posibility to connect to my server
[14:44] <hallyn> Nonox: probably a stupid question, but - did you check for a new ip address?
[14:46] <Nonox> I tried to connect using the dns name (http://ec2-50-16-57-148.compute-1.amazonaws.com) with the browser
[14:47] <hallyn> Nonox: and you're sure that's still the dns name for the instance?
[14:49] <Nonox> is working! the problem was that the console spent like an hour to refresh the new name for my new dns
[14:49] <Nonox> SORRY
[14:49] <Nonox> I'it was my first time using the API!
[14:50] <Nonox> And... I was afraid!
[14:51] <Nonox> thanks hallyn for you help!
[14:51] <hallyn> Nonox: np :)
[14:52] <uvirtbot`> New bug: #629925 in open-vm-tools (multiverse) "package open-vm-dkms 2010.04.25-253928-2 ubuntu2 failed to install/upgrade: open-vm-tools kernel module failed to build (maverick)" [Critical,Invalid] https://launchpad.net/bugs/629925
[14:54] <Martyn> Morning.
[14:54] <RoyK> good localtime();
[14:55] <lynxman> RoyK: does that take in account daylight saving times?
[14:55] <RoyK> lynxman: man localtime ;)
[14:56] <lynxman> RoyK: good :)
[15:07] <Martyn> good UTS(-4)
[15:07] <Martyn> *rolls eyes*
[15:13] <Martyn> when does the server team meeting usually take place?
[15:14] <Martyn> I thought Thurs mornings?
[15:18] <Daviey> negronjl: Your orchestra commit, do you want that sponsored - or hold out for more love?
[15:18] <negronjl> Daviey:  It would be great if I can get it sponsored :)
[15:18] <negronjl> Daviey:  I'll start the build and put it all on the ppa.
[15:19] <negronjl> Daviey:  I assume you can take it from there ??
[15:22] <Daviey> negronjl: no nead.. i'll just upload it from the branch.
[15:23] <negronjl> Daviey:  Thanks!  Let me know if there is anything I can do to help
[15:23] <Daviey> negronjl: my car could do with a wash.
[15:23]  * Martyn chuckles
[15:23] <negronjl> Daviey:  I'll get right on that...just hold your breath :)
[15:24] <Daviey> wilco!
[15:26] <Ursinha> Daviey: hey man, bonjour
[15:29] <Martyn> Hey, Daviey .. what day/time is the next server meeting?
[15:29] <Martyn> I think I got wires crossed .. thought it was this morning.
[15:33] <lynxman> Daviey: I thought you didn't have a car
[15:34] <BPower> Hey all, apache and mysql are using a significant amount of memory even when they have no requests - apache has 11 processes running and mysql has 15 processes. Any suggestions on where I should start to reduce the memory/process load?
[15:34] <smoser> lynxman, just because daviey can't drive [well] doesn't mean he doesnt have a car.
[15:34] <lynxman> smoser: I assumed that was the case...
[15:37] <Daviey> lynxman: i have 3.
[15:37] <Daviey> Martyn: Tuesday
[15:37] <Martyn> Got it.
[15:37] <Martyn> Someone kindly gave me the fridge link
[15:37] <lynxman> Daviey: three cars? You almost sound American
[15:38] <Martyn> Well, now you have to tell us what kind of cars :)  Like on Top Gear. .. we will judge you by your taste in vehicles.
[15:38] <Daviey> lynxman: well one hasn't been on the road since 2004.
[15:41] <lynxman> some say... that he goes in flip flops to meetings, and also that he has three cars... all we know... he's called Daviey
[15:42] <Martyn> heh
[15:45] <Daviey> :o
[15:49] <fullstop> Hi.  I have a 4TB iscsi volume, which will have many millions of small files, from 300 bytes to ~20K each.
[15:50] <fullstop> I was thinking of going with ext4, but I'm trying to understand my limits with the # of inodes and the inode_ratio.
[15:50] <fullstop> is there an ext4 tuning guide, where I can calculate the maximum number of files, etc?
[15:55] <patdk-wk> 1 inode per file
[15:56] <patdk-wk> and probably 1 inode per 4k of disk space
[15:56] <fullstop> I think that I would want a blocksize of 1024
[15:56] <patdk-wk> then 1 per 1k max
[15:56] <fullstop> so that might chew through a bunch of inodes.
[15:56] <patdk-wk> but I would probably go with 4k anyways :)
[15:56] <fullstop> how come?
[15:56] <patdk-wk> let those 20k files help balance it out
[15:57] <fullstop> There are a _lot_ of 300 byte files.  :)
[15:57] <patdk-wk> I guess this isn't an email store
[15:57] <fullstop> lots of desolate land and water in the world.
[15:58] <patdk-wk> something tells me this is the *wrong* way to store your data though :)
[15:58] <fullstop> I'm storing map tiles..
[15:58] <fullstop> using the tile-cache data store.
[15:58] <patdk-wk> ya, but why store each one like that?
[15:58] <patdk-wk> or cause that is how some program does it, and you don't want to program it :(
[15:58] <fullstop> because they can be loaded using openlayers directly in a browser.
[15:59] <patdk-wk> browsers use http servers, not filesystems
[15:59] <Martyn> unless you are using webdav
[15:59] <patdk-wk> if there are lots of 300bytes files that are the same, hell, 1 300byte file would do so
[15:59] <patdk-wk> martyn, webdav is http
[15:59] <Martyn> webdav has no https support?
[15:59] <patdk-wk> it doesn't depend on a filesystem, the filesystem could be a database for all webdav could care
[16:00] <fullstop> the openlayers side can generate urls which map directly into the cache.
[16:00] <Martyn> ah, point
[16:00] <fullstop> when complete, the filesystem is read-only.
[16:00] <fullstop> and lookups are fast, far faster than what a database could do.
[16:00] <patdk-wk> fullstop, not saying it won't work
[16:00] <patdk-wk> heh?
[16:01] <fullstop> far faster than a database on top of a filesystem could do, if that makes sense.
[16:01] <patdk-wk> nope
[16:01] <patdk-wk> cause they are the same, unless your not using an index
[16:02] <fullstop> implicit indexes with the filesystem.. each layer is in a directory, which is further sub-divided.
[16:02] <patdk-wk> databases also have indexs, it's just as fast
[16:02] <patdk-wk> but that isn't my point at all
[16:02] <fullstop> yes, but now I have to have something to query the database.
[16:02] <patdk-wk> I didn't even tell you to use a database
[16:03] <patdk-wk> so I dunno where that talk came from
[16:03] <fullstop> The point is, once I have the tiles rendered, I can serve them up directly from nginx.
[16:03] <fullstop> without any processing in between, other than the filesystem
[16:06] <patdk-wk> hmm, you waste 1k of disk space for every 4 inodes
[16:06] <Aison> is there a tiny webbrowser that I can install on my server for X11 forwarding?
[16:06] <patdk-wk> so 1/4 of your disk will be unusable for inodes
[16:07] <patdk-wk> might be as much as 1/3 after superblocks and other stuff are added in, not sure
[16:10] <bsg_kwolf> I'm having a bit of trouble using Kickstart to install a Ubuntu 10.10 VM on an 11.04 host.  No matter what I pass in the virt-install, it's trying to dhcp instead of using the static IP I'm passing.  Anyone seen this?  Here's my -x options:  "ks=http://10.254.254.11/jslave02.cfg ksdevice=eth0 ip=10.254.254.151 gateway=10.254.254.1 netmask=255.255.255.0 dns=192.168.42.2"
[16:10] <kierge-> if i use a dynamic dns resolver on my router is that dyndns.org address good enough to run a fully functional wordpress page from ?
[16:11] <kierge-> links and all ?
[16:11] <bsg_kwolf> Also, oddly it fails to do DHCP, even though it should be able to obtain an IP.  Makes me think for some reason the interface isn't up.  I can see it doing DHCP discovers in the logs, but it's never getting an offer, and it should.
[16:11] <patdk-wk> fullstop, 1k block size is only good up to 2tb
[16:11] <bsg_kwolf> If I then manually configure the network on the install it's fine.
[16:12] <fullstop> patdk-wk: good to know.  This is why I was asking.  :)
[16:12] <patdk-wk> seems ext4 does support large though (not ext3 though)
[16:12] <patdk-wk> but the ext utils still have limitations
[16:13] <chrisPerkins> Kierge I presume that you have a dyndns.org account set up and a server at home or the office somewhere behind a router with dynamic ip? is that right?
[16:13] <fullstop> I briefly considered reiserfs, but I don't know how much life it has left.
[16:13] <patdk-wk> reiserfs keeps on randomly corrupting itself on me, so I stopped using it
[16:14] <fullstop> and, from what I've read, xfs is more for large files... but I've read some positive things about small file situations as well.
[16:14] <fullstop> reiserfs corrupted stuff for me, but that was years ago on a mandrake system.
[16:14] <fullstop> so that should tell you the age.
[16:31] <chrisPerkins> I am tearing my hair out trying to set up a mail-server to support multiple domains. Has anyone got any solid experience or can they point me towards reliable information / tutorials etc?
[16:36] <uvirtbot`> New bug: #814164 in openvpn (main) "The init script does not handle the script-security parameter correctly when there are multiple configuration files" [Undecided,New] https://launchpad.net/bugs/814164
[16:41] <chrisPerkins> I am tearing my hair out trying to set up a mail-server to support multiple domains. Has anyone got any solid experience or can they point me towards reliable information / tutorials etc?:-/:P
[16:50] <raubvogel> Which user is kerberos  run as?
[16:51] <chrisPerkins> Anyone know how to build a mail-server?
[16:51] <raubvogel> chrisPerkins: requirements?
[16:52] <ksx4system> if i enable and configure ufw for IPv4 connectivity and then enable IPv6 in config - does rules made with v4 only setup apply to freshly enabled Ipv6?
[16:52] <jdstrand> ksx4system: no
[16:53] <jdstrand> ksx4system: also, you will want to do 'ufw reload' after turning on ipv6
[16:54] <ksx4system> jdstrand: i did /etc/init.d/ufw restart
[16:54] <jdstrand> that's good enough
[16:54] <raubvogel> chrisPerkins: the ubuntu wiki has entries on setting up postfix + dovecot + etc. How deep the etc goes depends on what you need. hence the specs question
[16:54] <chrisPerkins> I am building a mail server to server multiple addresses over multiple domains. Have tried setting up ldap but can't find complete or reliable information. So looking to set up and configure postfix,  courier, mysql, apache, webmail, shorewall etc
[16:54] <ksx4system> jdstrand: so... i must create a new ruleset for IPv6, am i right?
[16:55] <raubvogel> chrisPerkins: multiple addresses + multiple domains could be done with postfix + dovecot + ldap
[16:55] <raubvogel> How do you talk to ldap depends on your mood
[16:56] <jdstrand> ksx4system: old rules will not be automiatically applied to ipv6, because that might not be what the person actually wants. new rules may apply to both depending on the rule. eg 'ufw allow OpenSSH' would apply to both, 'ufw allow from 192.168.2.10' would not
[16:56] <BPower> Hey all, apache and mysql are using a significant amount of memory even when they have no requests - apache has 11 processes running and mysql has 15 processes. Any suggestions on where I should start to reduce the memory/process load?
[16:56] <patdk-wk> bpower, start by understanding how to read memory usage first :)
[16:56] <raubvogel> What I have here is that + usual spam/virus stuff + tls/smtp auth
[16:57] <chrisPerkins> thanks for your responses raubvogel I'm really going insane.
[16:57] <jdstrand> ksx4system: if you already did 'ufw allow OpenSSH' with ipv4 only, you should be able to do it again after enabling ipv6 and have it do what you want
[16:57] <patdk-wk> normally all that memory is shared between them
[16:57] <jdstrand> (ie, add only the ipv6 rule)
[16:57] <raubvogel> chrisPerkins: webmail stuff you can add later. Are you going to let people imap+tls to server?
[16:58] <patdk-wk> and normally apache doesn't use a lot of memory, unless you use mod_php, mod_perl, ...
[16:58] <BPower> patdk-wk, together apache(+php) and mysql are using over 300mb of memory with 0 requests in the past hour.
[16:59] <ksx4system> jdstrand: afaics when i'll be setting firewall from scratch (with dual stack v4/v6 connectivity) it'll be need to add rules only once?
[16:59] <patdk-wk> how did you come up with 300mb?
[16:59] <raubvogel> AFAIK, chrisPerkins, you can have ldap only talking to dovecot. And then postfix can use dovecot for tls auth and be done
[16:59] <VSpike> Hi - I have a Sitecom 300N X3 adapter (Ralink) and I'm having trouble making it work. Unsurprisingly
[16:59] <VSpike> I'm running Lucid
[16:59] <fullstop> nginx + php-fpm works quite well.
[16:59] <VSpike> Do I have any chance of making it work?
[16:59] <BPower> patdk-wk, top/htop
[17:00] <VSpike> rt2800usb module claims it but when loaded rejects it saying invalid chipset detected or similar
[17:00] <patdk-wk> well,  Iknow top won't tell you correct memory usage, dunno about htop
[17:00] <raubvogel> VSpike: making it work == ?
[17:00] <VSpike> None of the rt*sta module seem to claim it, afaict
[17:00] <jdstrand> ksx4system: depends on the rule. if you are specifying an ipv4 address for example, then it won't be added to ipv6. see 'man ufw' for details
[17:00] <VSpike> raubvogel: well - appearing in ifconfig -a would be a good start :)
[17:00] <BPower> patdk-wk, the total memory usage on the server is the full 256 of allotted ram + 150mb of swap.
[17:01] <raubvogel> VSpike: does it at least show up on lsusb?
[17:01] <VSpike> raubvogel: sure does
[17:01] <fullstop> BPower: virtual machine?
[17:01] <BPower> fullstop, yes
[17:01] <VSpike> raubvogel: id is 0df6:0042
[17:02] <fullstop> BPower: depending on how tied your php stuff is to apache (.htaccess, mod_rewrite), you should take a look at nginx and php-fpm.
[17:02] <chrisPerkins> raubvogel Yes I'm going to allow people to access IMAP+tls
[17:02] <fullstop> BPower: http://interfacelab.com/nginx-php-fpm-apc-awesome/
[17:03] <patdk-wk> fullstop, that will do nothing to solve his issue
[17:03] <patdk-wk> it will just move the issue from apache to php
[17:03] <patdk-wk> cause then php will be showing ram usage, where now it is counted for in apache
[17:03] <raubvogel> VSpike: I do not know how dated this is: http://wiki.debian.org/rt2870sta
[17:03] <chrisPerkins> raubvogel Where should I start is there any reliable documentation? How long do you think it will take me realistically.
[17:04] <fullstop> patdk-wk: not true.
[17:04] <raubvogel> chrisPerkins: probably a few hours if you have everything lined up
[17:04] <patdk-wk> how so?
[17:04] <VSpike> raubvogel: yeah - I saw that. Makes me think perhaps I need to compile a new rt2870sta on my box using the latest code from ralink?
[17:04] <fullstop> patdk-wk: it removes php from the web processes, and keeps a pool of them running.
[17:04] <VSpike> I get the impression that the rt2x00 will not work no matter what
[17:04] <patdk-wk> fullstop, so does apache
[17:04] <fullstop> Not if you are using mod_php
[17:04] <patdk-wk> sure it does
[17:05] <patdk-wk> the same pool that does static pages does php ones
[17:05] <fullstop> a request for an image will be served by an apache worker with php
[17:05] <patdk-wk> sure, it's still a pool of processes
[17:05] <fullstop> Yes, but you do not need as many processes with php loaded.
[17:06] <patdk-wk> depends, my websites have more php hits than html/image hits, cause of expires headers and caching
[17:06] <fullstop> If you could have 10 processes with php for handling php code, and 20 processes just for handling static, that will win.. with the right usage.
[17:06] <patdk-wk> if you need that much static, you have crapload of first time users, or bad caching
[17:06] <fullstop> You must not have many images
[17:06] <chrisPerkins> raubvogel: So If I install postfix dovecot and ldap where is the best place to find instuctions?
[17:07] <fullstop> You really can't control or rely on how a user's cache works.
[17:07] <patdk-wk> sure you can, that is the whole point of the expires header, etag, ...
[17:07] <raubvogel> chrisPerkins: I would get postfix+dovecot running (https://help.ubuntu.com/community/PostfixDovecotSASL and https://help.ubuntu.com/community/Postfix) and then go to the dovecot website and read their wiki on getting it to work with ldap
[17:07] <fullstop> I still stand by saying that, for low memory systems, nginx + apache-fpm gives you better control of your maximum memory usage under load.
[17:08] <raubvogel> VSpike: I would give the compilation thingie a try. Do you know if the device runs on another machine?
[17:08] <fullstop> patdk-wk: newer browsers do not always cache, until you have requested the same content a few times.
[17:08] <chrisPerkins> raubvogel: I'm on it thank you so much. Anything I should look out for?
[17:08] <raubvogel> chrisPerkins: there is also https://help.ubuntu.com/community/Postfix/DovecotLDAP
[17:08] <fullstop> It really depends on how full the cache is, and what they choose to keep / expire from the cache
[17:09] <fullstop> Do some testing with chromium, firefox and internet explorer.  It's actually kind of surprising.
[17:09] <jdstrand> hallyn: hey, so all those libvirt packages in -proposed. can you prod them along? I've got another security update and would prefer not to stomp on your pacakges yet again
[17:09] <patdk-wk> well, all my users browsers are pretty dumb then, and cache everything
[17:09] <jdstrand> hallyn: I mean, I'll do it; just know I won't enjoy it :P
[17:09] <raubvogel> chrisPerkins: I think that should get you going. Then, if you are stuck in dovecot, the people at #dovecot are really helpful. #postfix, well, they do expect you to know it well before asking
[17:10] <raubvogel> I am going food hunting
[17:11] <BPower> fullstop, patdk-wk, interesting conversation. I'll take a look into it and see if it suits my needs :) Thanks
[17:11] <patdk-wk> bpower, as for mysql
[17:11] <patdk-wk> well, it's designed to do that on purpose
[17:11] <patdk-wk> normally you want your database fast, that means in memory
[17:12] <patdk-wk> if you want it smaller, you have to tune it smaller
[17:12] <patdk-wk> default is 128megs cache
[17:12] <hallyn> jdstrand: yeah, let me take a look, thanks for the heads-up
[17:12]  * patdk-wk plays with smem some
[17:12] <jdstrand> hallyn: thanks
[17:13] <BPower> patdk-wk, you're right. i should have thought of that -- just skipped my mind for some reason. I was considering moving the db server to its own unit.
[17:13] <patdk-wk> hmm, my apache is using 1.5megs per process
[17:14] <fullstop> patdk-wk: using mod_php or php as fastcgi?
[17:14] <patdk-wk> mod_php
[17:14] <fullstop> I have a hard time believing that php fits into 1.5 megs
[17:14] <fullstop> it is shared, understandably...
[17:15] <patdk-wk> ya, that is 1.5megs uniq memoy per process
[17:15] <patdk-wk> I'm sure apache+php has lots of shared code pages across all processes
[17:15] <patdk-wk> but I shouldn't count those 10times their real amount
[17:16] <patdk-wk> top says apache is using 9.6megs
[17:16] <patdk-wk> but real memory used is 1.4 to 1.8megs per process
[17:17] <patdk-wk> so in reality, my 10 apache processes are using 16megs of ram total
[17:17] <patdk-wk> not 96megs
[17:19] <fullstop> patdk-wk: Where are you getting 1.5 from?  What utility / proc entry?
[17:19] <patdk-wk> smem
[17:19] <fullstop> I want to compare to ubuntu-server here
[17:20] <patdk-wk> uss = uniq mem per process, pss = process size, rss=same as top value
[17:20] <patdk-wk> pss includes it's usage of shared ram
[17:22] <patdk-wk> hmm, now this loaded down apache is using about 20megs per process
[17:22] <patdk-wk> but it also has 300megs usage in php apc
[17:23] <BPower> patdk-wk, holy crap. to install smem it requires 80+ more dependencies.
[17:23] <patdk-wk> apt-get --no-install-recommends install smem
[17:23] <patdk-wk> :)
[17:23] <patdk-wk> you probably don't need it to make pretty graphs
[17:27] <BPower> cool
[17:27] <BPower> i've got to run now.  thanks a ton patdk-wk and fullstop :)
[17:32] <fullstop> patdk-wk: and which column?  RSS or PSS?
[17:32] <patdk-wk> pss
[17:32] <patdk-wk> rss will be the same as top, uniq memory + all shared memory
[17:33] <fullstop> patdk-wk: are you using any swap?
[17:34] <patdk-wk> for apache, nope
[17:34] <patdk-wk> udevd is swapped out hard :)
[17:36] <patdk-wk> amavisd looks interesting, uss=50megs, pss=80megs, and rss=142megs
[17:37] <patdk-wk> it's like the only threaded thing I have that has craploads of uniq mem
[17:40] <fullstop> okay, using smem I show apache at about 600K
[17:40] <fullstop> nginx at 800K..  but this is not apples-to-apples at all.
[17:41] <fullstop> since php is not embedded in nginx
[17:41] <fullstop> and instead works through a separate pool.
[17:41]  * patdk-wk perfers lighttpd
[17:41] <fullstop> And, additionally, apache has far more workers.
[17:42] <fullstop> I used lighttpd for a while.  The config file can be a real pain.
[17:42] <patdk-wk> hmm? config file is easy
[17:42] <fullstop> That is, it's not really clear what is wrong when there is a syntax error.
[17:42] <fullstop> I find nginx's config file far easier to read.
[17:42] <patdk-wk> lighttpd 2.x has a fun config
[17:45] <fullstop> I am pretty sure that I was using one of the later 1.X's.
[17:45] <fullstop> 1.4.X
[17:46] <fullstop> I still think that nginx wins.  :)
[17:46] <fullstop> especially with unanticipated load.
[17:46] <fullstop> Cases where people do not already have your static content in their cache.  ;-)
[17:50] <MinaSh> Hello, my server has many domains and subdomains. I have a service running on port 8081. now it is accessible by any domain of them. I want it to be accessible only by one of them. how can I disable others or at least make them redirect to my desired one?
[17:56] <bsg_kwolf> I'm setting up VM's in a ubuntu 11.04 host running 10.10 on the VM's.  I'm having trouble getting kickstart to accept the static IP I'm passing it with '-x "ks=http://10.254.254.11/jslave02.cfg ksdevice=eth0 ip=10.254.254.151 gateway=10.254.254.1 netmask=255.255.255.0 dns=192.168.42.2"' being passed to virt-install.  It's always using DHCP.
[17:56] <bsg_kwolf> Any one any ideas?
[17:57] <rcaskey> I just setup a new linode and it set the root password for me as part of the setup, but I want it as similar as possible to a stock install. I added my own user, added the user to the sudo group, how do I lock out the old root login?
[17:58] <ScottK> rcaskey: See https://help.ubuntu.com/community/RootSudo
[17:58] <ScottK> It's described there how to do it.
[17:59] <netritious> Hi, how do I install Ubuntu server and exclude ubuntu-standard meta-package? Like jeOS, but I'm using 10.04. I'm looking for the smallest (resaonable) footprint.
[18:01] <patdk-wk> netritious, click f4, and select minimal
[18:02] <patdk-wk> but then that IS jeOS :)
[18:02] <netritious> patdk-wk, I thought I tried that but will try again. Thanks!
[18:03] <patdk-wk> mine comes in at around 400megs about
[18:03] <patdk-wk> and approx 24megs of ram usage on boot
[18:03] <netritious> nice..that's what I seek. :)
[18:09] <rcaskey> should I install dbndns or djbdns?
[18:10] <patdk-wk> personally, I wouldn't use either
[18:11] <rcaskey> patdk-wk, I'm considering a move to bind but I inherited djbdns and need to setup a secondary external withoiut a lot of fuss
[18:11] <rcaskey> so it's something I'd revisit later
[18:19]  * RoyK found a pin with hammer and sickle at work and is wondering if people will look sideways if he wears it
[18:20] <raubvogel> RoyK: If you wear it on your nose, yeah. As a nipple ring, well, I would look sideways myself...
[18:21]  * RoyK doesn't pierce his skin
[18:22] <RoyK> I saw this poster once, someone made a jolly big one with hammer and banana
[18:24] <raubvogel> RoyK: lol
[18:28] <geekbri> Guys, i ran apt-get upgrade and now suddenly my locales is broken.  When i try to do tab completion in bash i get bash: warning: setlocale: LC_CTYPE: cannot change locale (en_US.us-ascii).
[18:28] <geekbri> However if i sudo su and I am root I dont get the error, any clue how to fix this
[18:47] <uvirtbot`> New bug: #814226 in samba (main) "package samba 2:3.5.8~dfsg-1ubuntu2.2 failed to install/upgrade: el subproceso instalado el script post-installation devolvió el código de salida de error 1" [Undecided,New] https://launchpad.net/bugs/814226
[18:51] <adam_g> RoAkSoAx: ping
[18:52] <RoAkSoAx> adam_g: pong
[18:54] <adam_g> RoAkSoAx: how did you want to handle bug #744293?
[18:54] <uvirtbot`> Launchpad bug 744293 in drbd8 "Infinite loop in helper LVM script for DRBD 8 in Lucid" [High,In progress] https://launchpad.net/bugs/744293
[18:55] <RoAkSoAx> adam_g: yes was just about to review it
[18:55] <b0gatyr> hi guys, why are virtual IPs usually set on loopback interfaces?
[18:55] <fullstop> djbdns isn't all that bad.
[18:56] <fullstop> I use it here, but if I had to do it again I'd use nsd / unbound.
[18:57] <patdk-wk> b0gatyr, what exactly is a *virtual* ip?
[18:58] <fullstop> I think he is talking about eth0:1
[18:58] <fullstop> a virtual interface
[18:58] <patdk-wk> that isn't virtual, or on a loopback
[18:58] <fullstop> or maybe he means private addresses
[18:59] <patdk-wk> eth0:1 is technically nothing more than a label, used to be called an alias
[18:59] <b0gatyr> sorry I meant an IP set on a virtual interface
[18:59] <fullstop> patdk-wk: eth0:1 is commonly referred to as a virtual interface
[18:59] <patdk-wk> by virtual interface, you mean for some type of vm thing?
[19:00] <patdk-wk> fullstop, never seen that in the last 20 years of using linux
[19:00] <b0gatyr> but i've seen people use the loopback interface for this, wouldnt this cause problems since packets are sourced with that loopback address?
[19:00] <patdk-wk> why would they be sourced wit hthe loopback interface?
[19:00] <patdk-wk> the interface source and ip have nothing to do with each other
[19:01] <fullstop> patdk-wk: Look around.. it's really a common term.  :)
[19:01] <patdk-wk> except if a packet goes out an interface without a source ip
[19:01] <patdk-wk> fullstop, I try to use offical terms, cause anything else causes confusion
[19:01] <RoAkSoAx> adam_g: btw.. on SRU's if the version I had prepared was ubuntu2.2 and you made changes *beofre* it actually hit the archives, you keep the version but just add your name and changes to the changelog entry
[19:01] <patdk-wk> eth0:1 is an aliased interface, according to man ifconfig
[19:01] <patdk-wk> and that has been depressiated with iproute2 for years now
[19:02] <RoAkSoAx> adam_g: however, in this particular case we don;t need to add that as we "understand" that a patch should have been added to 00list :)
[19:03] <patdk-wk> b0gatyr, are you looking at a ipvs setup?
[19:03] <fullstop> patdk-wk: It's still a commonly used term, for at least the last decade.
[19:03] <adam_g> RoAkSoAx: right, i was mainly just throwing something together to get him up and testing while you were busy at the sprint. did it ever make it to the SRU queue as it was?
[19:04] <patdk-wk> fullstop, and it's so wrong and incorrect on so many levels
[19:04] <geekbri> christ, does anybody here have a clue why on ubuntu 10.04 LTS i suddenly get all sorts of terrible locale errors when i try to use tab completion?
[19:04] <patdk-wk> geekbri, your locale was never set?
[19:04] <RoAkSoAx> adam_g: i cant really remember
[19:05] <fullstop> patdk-wk: It's still  used, and you may benefit from understanding what others mean.
[19:05] <geekbri> patdk-wk: it was working fine until i ran apt-get upgrade a couple minutes ago.  I've tried locale-gen and it seemse to generate my locales fine
[19:05] <RoAkSoAx> adam_g: doesn't look like it: https://launchpad.net/ubuntu/lucid/+queue?queue_state=1 :)
[19:05] <patdk-wk> geekbri, "sudo dpkg-reconfigure localeconf"
[19:06] <adam_g> RoAkSoAx: yah.. so you'll just fix the packaging error and get SRU started?
[19:06] <geekbri> patdk-wk: results in some perl errors saying setting locale failed.  It also says it cannot set "LC_CTYPE, LC_MESSAGES, and LC_ALL"
[19:07] <RoAkSoAx> adam_g: yeah I'll just upload it as the SRU justification is already done
[19:07] <adam_g> sounds good
[19:15] <RoAkSoAx> adam_g: alright, it's in the queue waiting for approval
[19:17] <chrisPerkins> #drupal
[19:19] <geekbri> patdk-wk: just a heads up, i think apt-get upgrade broke it, i wish i could remember which package but i added LC_ALL=en_US.UTF-8 to my /etc/default/locale and it fixed it
[19:37] <maxagaz> hi
[19:37] <maxagaz> when I do: man cbq, I get CBQ(8) at the top, what does 8 stands for ?
[19:38] <jhobbs> man man has the answer
[19:42] <uvirtbot`> New bug: #496601 in vsftpd (main) "package vsftpd 2.2.0-1ubuntu1 failed to install/upgrade: ??? ???? post-installation ?? ?????? 1 (dup-of: 523896)" [Low,Confirmed] https://launchpad.net/bugs/496601
[19:46] <raubvogel> which user is krb5kdc run as?
[20:14] <geekbri> I'm not 100% which package it is, but i've had 2 of my servers locale break after an apt-get upgrade... just figured i'd say something...
[20:23] <geekbri> make that 3 servers.
[20:23] <pmatulis> geekbri: well, pastebin the output
[20:24] <hallyn> and maybe the end of /var/log/dpkg.log
[20:24] <geekbri> yeah let me find out that information hold on.
[20:25] <geekbri> predictably so it looks to be the locales 2.11+git20100304-3 causing the issue at least for me.
[20:30] <geekbri> hrm i could be wrong, it could be libc
[20:52] <philipballew> QUESTION: does ssh work when i have not logged into my server with my user account?
[20:53] <raubvogel> philipballew, what do you mean?
[20:54] <philipballew> like can i take my server. plug it into a cat 5 power it on and ssh into it without entering username and password from a keyboard connected to the server
[20:54] <philipballew> raubvogel,
[20:54] <raubvogel> philipballew, that is exactly what you use ssh for
[20:55] <raubvogel> you first make sure you have openssh-server installed
[20:55] <philipballew> i selected open ssh during install
[20:55] <raubvogel> and then, say, ssh thetick@monkeybutt.com
[20:55] <raubvogel> Then it should be installed
[20:55] <raubvogel> did you try to ssh into it?
[20:56] <philipballew> i installed it ofline and need to connect it to the network now
[20:56] <philipballew> if im on a lan i can just enter ssh nameofcomputer ?
[20:57] <raubvogel> If you are logged in as the same user in another machine, sure
[20:57] <raubvogel> otherwise, see the example above
[20:57] <raubvogel> (monkeybutt)
[20:58] <raubvogel> That would be ssh'ing from a Mac or a Linux/unix box to the monkeybutt
[20:58] <philipballew> well im on my ubuntu laptop
[20:59] <raubvogel> same use as in the other machine?
[20:59] <philipballew> i am connected to the same router as the server
[20:59] <philipballew> i need to ssh into it
[20:59] <philipballew> it doesnt have a domain
[20:59] <raubvogel> I meant same *user*
[21:00] <philipballew> ? in what way
[21:00] <raubvogel> I am going to call your server monkeybutt. So which is the username you are going to log in as when you connect to monkeybutt?
[21:02] <philipballew> alright so since my computers name is philipserver  i type ssh philipserver
[21:02] <raubvogel> What is your username in philipserver?
[21:02] <philipballew> philip
[21:02] <raubvogel> And what is the username in your laptop?
[21:03] <philipballew> philip
[21:03] <raubvogel> If and only if they are the same, then you can do ssh philipserver
[21:03] <philipballew> and if they are not. find the locaal ip and go that way?
[21:04] <raubvogel> philipballew, we are still talking about username. You normally do ssh user@machine. In your case you can do philip@philipserver or, since you are using the same username, omit it
[21:05] <raubvogel> Now, if philipserver does not work, you then replace "machine" with the ip address
[21:05] <raubvogel> so, if philipserver's address is 192.168.1.2, you could do ssh 192.168.1.2
[21:05] <philipballew> time to pop up nmap
[21:05] <philipballew> haha
[21:06] <raubvogel> Or go ask your router
[21:06] <philipballew> that to
[21:11] <philipballew> does it mater if im connected wirelessly and the server is not?
[21:27] <raubvogel> philipballew, that depends on how you set your router
[21:27] <raubvogel> can you ping the server from laptop?
[21:27] <philipballew> no i can not
[21:27] <philipballew> :(
[21:28] <philipballew> its a horriable router
[21:32] <philipballew> i need to port forword 22 probably
[23:48] <maxb> I think I may have found a (non-vulnerability) bug in OpenSSH. What's the best place to ask about it?  (ChallengeResponseAuthentication=no also disables KbdInteractiveAuthentication)