[01:04] <airtonix> love driveby
[02:22] <MrUnagi> I need a little help setting up a mail server with ubuntu, it seems i can log with telnet but not with a mail client, did i skip over a step?
[02:30] <airtonix> depends
[02:30] <airtonix> MrUnagi: what steps did you follow
[02:31] <MrUnagi> to be honest i have tried several including in the ubuntu docu
[02:31] <MrUnagi> https://help.ubuntu.com/community/MailServer
[02:34] <MrUnagi> so basically my current state is i can telnet 143 and log in wit success
[02:34] <MrUnagi> when setting up my client, i get the certificate error as expected, but the account remains offline
[02:36] <twb> MrUnagi: https://help.ubuntu.com/10.04/serverguide/C/email-services.html is the official documentation.
[02:36] <twb> AFAIK community/ stuff is unofficial
[02:40] <MrUnagi> I've tried that guide as well
[02:41] <MrUnagi> i know that i am at least communicating with dovecot because i get the certificate error
[02:41] <twb> Are you testing this with "mutt -f imaps://MrUnagi@127.0.0.1/" on the server itself?
[02:41] <MrUnagi> i tested telnet locally and remotely
[02:42] <MrUnagi> i am not sure what mutt is
[02:42] <MrUnagi> is it a mail client?
[02:42] <twb> An MUA
[02:42] <twb> Yes.
[02:42] <MrUnagi> i have not tried it with mutt i was trying it with mail.app on os x
[02:43] <twb> Please reproduce the problem with mutt on the server.
[02:43] <MrUnagi> installing now
[02:43] <twb> Also, unless you're doing STARTTLS, there should be no TLS (a.k.a. SSL) at all on 143.
[02:43] <MrUnagi> well that was something that popped up in my mind as well
[02:45] <MrUnagi> some error occurred and mutt quit
[02:45] <MrUnagi> i have to locate the mutt log
[02:46] <twb> You ran the command I gave you initially?
[02:46] <twb> 12:41 <twb> Are you testing this with "mutt -f imaps://MrUnagi@127.0.0.1/" on the server itself?
[02:46] <MrUnagi> yes
[02:46] <twb> The error should sit around for a few seconds unless you hit a key, so it should be easy to transcribe
[02:46] <MrUnagi> internal error occurred
[02:46] <twb> Well that's bizarre
[02:47] <MrUnagi> server bug referr to server log for more information
[02:47] <twb> OK, that's more reasonable
[02:47] <twb> SO now open another window and do "tail -fn0 /var/log/syslog /var/log/auth.log"
[02:47] <twb> Then when you try mutt again, it'll show you what the server-side error was
[02:48] <MrUnagi> well thats too easy
[02:48] <MrUnagi> directory doesn't exist
[02:49] <twb> As in /var/mail/MrUnagi doesn't exist?
[02:49] <MrUnagi> i have reverted this snapshot so many times, i am having trouble keeping track
[02:49] <MrUnagi> well Maildir
[02:49] <MrUnagi> interesting
[02:49] <twb> I should've had you check the logs first, I just didn't trust that it was a server-side problem at first
[02:50] <MrUnagi> i can fix this no prob 1 sec
[02:53] <MrUnagi> ok it appears i am logged in with mutt
[02:54] <MrUnagi> and I'm sure i don't have postfix set up right because i have not received the test email i just sent
[02:55] <MrUnagi> but being able to log in server side means dovecot is good right?
[03:07] <philipballew> would anybody know anything about a linux network install
[03:11] <twb> !ask
[03:12] <twb> MrUnagi: yes re dovecot is good; re postfix, have you told it to deliver to Maildir?
[03:13] <philipballew> twb, i neet to install ubuntu over a network.
[03:13] <philipballew> better
[03:13] <twb> philipballew: OK, so what isn't working?
[03:13] <philipballew> well. i have a laptop without a cd drive and to old to boot from usb
[03:14] <philipballew> and i need to remove microsoft and install linux, like i always do.
[03:14] <philipballew> this time i cant use a cd
[03:15] <twb> You're sure it can't boot from USB?  And you can't easily remove its HDD and put it in another box to do the install?
[03:16] <philipballew> i brobably could, if i get a case and some screws yeah.
[03:16] <philipballew> *pobably
[03:16] <philipballew> when did computers start to boot from usb?
[03:18] <twb> I don't know.  Maybe you should, you know, test USB bootin.
[03:18] <twb> I ask because if you have to PXE boot then you will need to set up a PXE server which is fiddly
[03:18] <philipballew> and i am kinda lazy
[03:21] <qman__> expensive computers started booting from USB around 2000
[03:21] <qman__> it became a fairly standard feature around 04
[03:22] <philipballew> # 3 on boot order is removeable devices twb
[03:28] <philipballew> hum. this is like 2001
[04:38] <ejv> evening everyone, i just installed ubuntu server 10.04 LTS on an old dell dimension desktop; I have two PCI ethernet cards, both recognized by Ubuntu, an Accton SMC2-1211TX and a 3Com Corporation 3c905B, i'm not getting an IP address (via DHCP) from my router, is there something that needs enabling?
[04:41] <twb> ejv: pastebin your interfaces(5) file
[04:41] <ejv> nevermind fellas, it appears a `dhclient -r` and then a `dhclient` fixed that right up as sudoer. thank you
[04:41] <twb> Righto
[04:41] <ejv> very weird that it wouldn't work "out of the box"
[04:41] <ejv> brand spanking fresh installation -_-
[04:43] <ejv> ok i rebooted, interfaces are gone again
[04:43] <ejv> how do I tell dhclient to run at boot?
[04:44] <qman__> configure your interfaces to use DHCP in /etc/network/interfaces
[04:44] <qman__> see man interfaces for details
[04:45] <ejv> i have auto dhcp and iface eth0 inet dhcp
[04:45] <ejv> in /etc/network/interfaces
[04:45] <ejv> (seperate lines)
[04:45] <ejv> pardon me auto eth0
[04:46] <qman__> well, if eth0 is the one that's plugged in, it's correct
[04:46] <qman__> but since you have two, it's possible the one you're using is actually eth1
[04:46] <ejv> ahh
[04:46] <ejv> ok i will add a second identical line
[04:47] <ejv> there's two because i was thinking one card was faulty, if i can get this working i'll pluck it right out
[04:49] <ejv> qman__: if you're still around, im not familiar with this new version of grub, how do I tell the boot sequence to not be "quiet" but "verbose" ? :)
[04:50] <qman__> short answer is, you don't
[04:50] <qman__> it's possible to get the verbose kernel messages back but not without hacking up plymouth
[04:51] <qman__> since that's what suppresses them, not grub
[04:51] <ejv> hmm alright, thx for the input
[05:23] <U256> Hello everyone
[05:23] <U256> I need some help from anyone who is bored and might want to help
[05:28] <lickalott> ask
[06:01] <twb> Offtopic: is there a channel where I can ask about forcing lucid gvfs to mount FAT floppies with different mount options, and actually get a useful response?  Note: this rules out #ubuntu and irc.gnome.org
[06:02] <twb> (Yes, 3.5" floppies.  One of my prisons still uses them because, unlike USB keys, they can't be smuggled through checkpoints up your arse.  Sigh.)
[06:12] <twb> Scratch that, I'm not even sure it's gvfs.  Whatever nautilus is running.  Apparently gvfs is a nest of ELF binaries and no documentation or configuration or --help.  Sigh.
[06:13]  * twb RTFS's
[06:21] <kural> hello would linux-image-virtual contain XEN privileged guest support ?
[06:34] <twb> IIRC Xen isn't supported as at Lucid
[07:15] <smb> One can run Lucid generic-pae / server kernels as pv guest in Xen. Though it has not been the main target. There are linux-ec2 kernels which are maintained for running under xen.
[07:16] <twb> smb: well, sure, domU is mainline
[08:57] <uvirtbot`> New bug: #815760 in nut (main) "2.6.1-2ubuntu1 FTBFS on i386" [Medium,In progress] https://launchpad.net/bugs/815760
[09:47] <uvirtbot`> New bug: #815776 in php5 (main) "Unit tests inside PEAR packages need to go into /usr/share/php-test, not /usr/share/php/tests" [Undecided,New] https://launchpad.net/bugs/815776
[10:56] <alaing> how can i check what character set my server is using?
[10:59] <photon> env | grep LANG
[11:01] <alaing> I'm trying to setup zenphoto on my server and it says the following message
[11:01] <alaing> If your server filesystem character set is different from ISO‑8859‑1 and you create album or image filenames names containing characters with diacritical marks you may have problems displaying the names.
[11:02] <alaing> Currently my server is reporting back that its using utf8
[11:03] <photon> Well, the message is pretty much self-explanatory
[11:03] <alaing> could my web server be setup to use ISO?
[11:04] <photon> I guess, but that would be like asking if you could install Windows 95 instead. Unicode is pretty much the standard these days. I'd rather figure out how to install zenphoto with utf8.
[11:04] <alaing> setup i meant reporting thats its ISO instead of UTF8
[11:06] <alaing> after that message it says "Change the filesystem character set define to" followed by a drop down list of character sets and an apply button and then goes on to say "If you do not know the character set try "UTF-8""
[11:06] <alaing> I selected UTF-8 and clicked apply but it doesn't work it just reports the same error message. Perhaps its a permissions on the php script that runs
[11:07] <alaing> or could it be somethign else?
[11:08] <photon> I don't know, sorry, I never used zenphoto.
[11:08] <photon> maybe there's a chat room for that, or a forum?
[11:09] <alaing> thanks anyway
[11:09] <alaing> much appreciated
[11:09] <CatFish> see him walking
[11:09] <CatFish> kraak mie dan
[11:10] <CatFish> ie crack ue head boy
[11:10] <CatFish> effuh put friend
[11:10] <CatFish> ut need n
[11:11] <CatFish> heur hem kraake dan gek
[12:10] <_ruben> aww .. clusterstack stuff in the servergu.. err .. better check the most recent version of it before i finish that sentence
[12:10] <_ruben> doh, and forgot the "no" part as well
[12:11] <_ruben> ah, only drbd under the clustering part :/
[12:50] <hallyn> can anyone who is using multipath under lucid test the proposed fix for bug 690387, just to verify that it doesn't break your setup?
[12:50] <uvirtbot`> Launchpad bug 690387 in multipath-tools "udev block naming breaks failover and sd kref release cycle" [High,Fix committed] https://launchpad.net/bugs/690387
[13:01] <uvirtbot`> New bug: #815865 in apache2 (main) "Cookie variable in Apache LogFormat outputs incorrect value" [Undecided,New] https://launchpad.net/bugs/815865
[14:32] <hallyn> jdstrand: on bug 524447, it sits for 7 days, but as it's been verified, you can push your security changes on top of it right?
[14:32] <uvirtbot`> Launchpad bug 524447 in qemu-kvm "virsh save is very slow" [Medium,In progress] https://launchpad.net/bugs/524447
[14:39] <jdstrand> hallyn: can you poke pitti or SpamapS to process it?
[14:39] <hallyn> jdstrand: what do you mean by process it?
[14:40] <hallyn> SpamapS' last comment was that it has to wait 7 days in quarantine, now that it is verified.
[14:42] <jits> hi guys .. i have a ubuntu gateway which is allowing only google and some other sites to go thru .. everything else keeps waiting ... need help on how to go about digging it ..
[14:42] <SpamapS> jdstrand: needs 5 more days
[14:44] <jdstrand> hallyn: if it is verification-done, and past 7 days, then it should move to -updates
[14:44] <jdstrand> hallyn: based on SpamapS' comment, I'm confused though
[14:44] <jdstrand> (7 days vs 5 days left)
[14:45] <hallyn> jdstrand: it was pushed to -proposed on the 22nd
[14:45] <hallyn> supposed to sit there for 7 days
[14:45] <jdstrand> hallyn: I am preparing for a phone call atm. can we talk about this a bit later?
[14:45] <hallyn> jdstrand: absolutely
[14:55] <jits> hi guys .. i have a ubuntu gateway which is allowing only google and some other sites to go thru .. everything else keeps waiting ... need help on how to go about digging it ..
[14:57] <hallyn> jits: what were you wanting it to do, and how did you go about it?
[14:57] <jits> hallyn: i expect all sites to be accessible from client machines which have ubuntu server as gateway
[14:58] <jits> if i set the gateway to a router then everything works fine :-|
[15:04] <hallyn> jits: we'll need more information about how you set it and the network up.  but if you can get to the sites from the gateway itself, but not the clients, then I'd look at iptables output and the resolv.conf you're sending to the clients
[15:04] <jits> hallyn: I can get to any site from the gateway ..
[15:06] <jits> iptables output here http://paste.ubuntu.com/651802/
[15:07] <jits> the clients are all static ip .. configured to use gateway as dns .. the lookup works fine.. traceroute is also fine :-s ..
[15:07] <hallyn> iptables -t nat -L
[15:08] <jits> hallyn: http://paste.ubuntu.com/651804/ .. here it is
[15:16] <jits> anything ?
[15:20] <hallyn> jits: nope.  i don't see any forwarding rules.  but since you say google works, i dunno.
[15:21] <hallyn> jits: how is it set up?  When I do this to share wireless, I use a custom networking.conf entry with a post-up job that runs dnsmasq and iptables.  what are you using?
[15:21] <RoAkSoAx> smoser: howdy
[15:21] <smoser> hey
[15:21] <RoAkSoAx> smoser: ready for the presentation...anything I should know ?
[15:22] <jits> hallyn: no wireless .. its all physical connection ... has 50 odd clients in the vlan with one dhcp server cum gateway for other clients... one particular client is on this ubuntu gateway ..
[15:22] <smoser> RoAkSoAx, well... i'm going to get started on putting together what i want to say
[15:23] <smoser> i' think i'm going to basically just introduce what "cobbler-devenv" is
[15:23] <smoser> basically covering how it sets up a secluded network and builds a cobbler server to run in it.
[15:23] <RoAkSoAx> smoser: ok, cool. Will it install the webdav and stuff?
[15:23] <smoser> does it ?
[15:23] <smoser> i will check that...
[15:24] <RoAkSoAx> smoser: no I mean if it already does
[15:24] <hallyn> jits: maybe vlan is segragating traffic?  anyway, hopefully someone else will see your info and have an idea
[15:26] <jits> hallyn: yeah hope so .. thanks..
[15:28] <smoser> RoAkSoAx, i think it does...
[15:28] <smoser> but i haven't verified that it works
[15:30] <RoAkSoAx> smoser: ok I'll go over allk that stuff
[15:30] <RoAkSoAx> smoser: as well as the preseed your devenv installs
[15:30] <RoAkSoAx> to get it to work with ensemble
[15:31] <smoser> hm..
[15:31] <smoser> so what should i talk about ?
[15:31] <smoser> :)
[15:32] <RoAkSoAx> smoser: though you were gonna explain how the cobbler devenv works :)
[15:36] <smoser> yeah.
[15:37] <RoAkSoAx> smoser: ok so I will explain how ensemble works with orchestra and how your devenv is used to test "hardware" deployments
[15:37]  * kirkland listens to RoAkSoAx's explanation :-)
[15:39] <RoAkSoAx> kirkland: hehe will also send an email on how to do it later today
[15:39] <kirkland> RoAkSoAx: cool -- to where?  ubuntu-server maybe?
[15:40] <RoAkSoAx> kirkland: to our private ML, cc'ing you if you are not there anymore
[15:42] <zul> wouldnt ubuntu-server be a better idea?
[15:46] <RoAkSoAx> zul: Idk... it is stil a proof of concept that hasn't really been tested on real hw yet and I think it should probably be officially announced past the sprint in Austin, where I expect to have it working
[15:46] <RoAkSoAx> fully
[15:46] <zul> RoAkSoAx: ah ok
[15:47] <uvirtbot`> New bug: #815968 in samba (main) "SWAT doesn't allow admin login after install" [Undecided,New] https://launchpad.net/bugs/815968
[15:47] <zul> who in the hell still uses swat
[15:47] <RoAkSoAx> lol
[15:50] <xibalba> hey folks, i wwas wondering if anyone here is familiar with nic-bonding and could help me out with my config ? http://paste.ubuntu.com/651826/
[15:52] <ppetraki> xibalba, looks plausible :) what's the outcome?
[15:53] <ppetraki> xibalba, oh, you need to define an alias for bond1 too upfront
[15:54] <xibalba> ppetraki , mmm taking a look
[15:54] <xibalba> ppetraki , i believe i did define one in bonding.conf for bond1 too, but i see i made it netdev instead. i will set them the same and reboot
[15:54] <ppetraki> xibalba, so it would be: alias bond0 bonding alias bond1 bonding
[15:54] <xibalba> ppetraki , in one line or two?
[15:55] <ppetraki> what really matters is the max bonding,
[15:55] <ppetraki> separate lines
[15:55] <ppetraki> options bonding max_bonds=5
[15:55] <xibalba> max bonding ? i heard about that before but i can't find a doc on configing it
[15:55] <ppetraki> will let you create up to 5 bonds
[15:55] <xibalba> ppetraki , does that go into bonding.conf ?
[15:55] <ppetraki> xibalba, no, modprobe
[15:56] <ppetraki> xibalba, http://lxr.linux.no/linux+v3.0/Documentation/networking/bonding.txt
[15:56] <ppetraki> xibalba, its all there
[15:56] <xibalba> ppetraki , forgive me if this is newbish, but i put it under bonding.conf under modprobe.d
[15:56] <xibalba> oh ok i will take a look
[15:57] <uvirtbot`> New bug: #798878 in nova "nova.conf should not be world-readable" [High,Confirmed] https://launchpad.net/bugs/798878
[15:58] <xibalba> ppetraki , i owe you a beer if this works
[15:58] <ppetraki> xibalba, bonding is pretty easy, just remove and install the module again
[15:58] <xibalba> i guess going forward i should search linux specific, not ubunut specific information
[15:58] <kim0> Howdy folks, Ubuntu cloud days starting in #ubuntu-classroom on the hour .. see you there
[15:59] <xibalba> i'm not familiar with removing/installing modules in ubuntu. i come from BSD, use to maintaining freebsd mostly, just getting into ubunutu
[15:59] <ppetraki> xibalba, modprobe -r bonding && modprobe bonding
[15:59] <ppetraki> xibalba, :)
[16:27] <jamiemill> For PCI compliance I need to update to latest PHP/Apache on my Ubuntu Lucid - but apt has only updated to 2.2.14 - does that mean I have to update to Natty to get latest apache?
[16:33] <jamespage> jamiemill: you might want to challenge on 'latest' - my experience of PCI compliance was that you needed to prove that your software install is secure rather than at the latest version
[16:34] <jamespage> you should be getting updates for security vulnerabilities on lucid which should be enough IMHO
[16:34] <xibalba> ppetraki , hey are you still around?
[16:36] <jamiemill> jamespage: The scan report requests at least version php 5.3.6 and apache 2.2.17, both newer than in the Lucid repositories according to this page http://distrowatch.com/table.php?distribution=ubuntu
[16:40] <jamespage> jamiemill: does you scan provide reasons for these minimum version numbers? its normally todo with security vulnerabilities that have been found in lesser versions
[16:41] <jamiemill> jamespage, yes it is. 72 failures individually itemised with the version of php and/or apache they say fixed it. That was before i updated today, so some will go away on the next scan, but some need newer versions that I can get from lucid repos.
[16:42] <jamiemill> jamespage. But I'm going to disable sending the server signature in apache, so once I've done that I don't know how they'll know the version ...
[16:43] <jamespage> jamiemill: there are other ways....
[16:43] <jamiemill> jamespage Like adding other repos ?
[16:43] <jamiemill> jamespage or building from src
[16:43] <jamespage> sorry - I mean't of detecting which apache version you are running
[16:43] <jamiemill> jamespage Oh! how?
[16:43] <jamespage> jamiemill: so I would go back again to which specific vulnerabilities they are looking for version upgrades to fix
[16:45] <jamespage> jamiemill: http://tinyurl.com/6ferf8p details the updates to 2.2.14 since Lucid was released.
[16:45] <jamespage> that might help
[16:45] <jamiemill> jamespage: one example: "Apache HTTP Server Multiple Remote Denial of Service Vulnerabilities" CVE: CVE-2010-1452 NVD: CVE-2010-1452 -> "Apache addressed these issues in 2.2.16. Upgrade to the latest supported version of Apache."
[16:45] <uvirtbot`> jamiemill: The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452)
[16:45] <uvirtbot`> jamiemill: The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452)
[16:46] <jamiemill> oh! thanks uvirtbot`
[16:46] <jamiemill> clever bot
[16:46] <jamespage> fixed in 2.2.14-5ubuntu8.4
[16:47] <jamespage> jamiemill: Upgrade to the latest supported version of xxx
[16:47] <jamespage> is a standard response - however most linux distros don't upgrade the version - they backport security fixes plus critical bugs
[16:47] <jamiemill> jamespage - OK that's what I was assuming actually. So I wonder how I get to pass this damn test
[16:48] <jamespage> jamiemill: do you have a human to talk to or is it the automated test?
[16:49] <jamiemill> jamespage I'm not sure, I was just passed the results. It's "Trustwave", recommended by PayPal I believe
[16:50] <jamespage> jamiemill: so it is acceptable to identify false positives during PCI scanning - it covers this exact scenario
[16:50] <jamespage> where the scan says something bad - but you can prove otherwise
[16:50] <jamespage> however you will need to get whomever has to accepted the test results to agree
[16:50] <jamiemill> jamespage - OK I need to get in touch with them because I don't want to run around trying to prove this to them. There must be a process.
[16:51] <jamespage> normally its about having a sensible conversation about what you are running your infrastructure on
[16:51] <jamiemill> On another note, I'm perfectly happy to update to natty actually, so might just do that.
[16:51] <jamespage> jamiemill: OK - but please be aware that its not an LTS release
[16:52] <jamespage> jamiemill: you may still have to prove that your software is up-to-date and addresses the required security vulnerabilities
[16:53] <jamespage> however if you have a handy IT Security guy around he might help out with that :-)
[16:54] <jamiemill> jamespage - yes I am aware of that, LTS sounded nice at the beginning when they released it, but now I'm not sure what the advantage is knowing that packages lag behind (in terms of version numbers, even if not security)
[16:55] <jamiemill> jamespage - we're a small team and like to be on the latest, only using apache, php and git on AWS so I don't imagine much will break on a newer version
[16:55] <dori922> setting up a UEC front end server can i run another cloud OS type  the nodes? (ie Xen or debian or the like?)
[16:55] <jamespage> jamiemill: well its not for everybody
[16:56] <jamespage> jamespage: good luck with PCI certification on AWS :-)
[16:56] <jamiemill> jamespage: hmm - thanks - well we don't store CC data, only transfer it, so I hope we'll be ok
[16:57] <jamespage> jamiemill: exempts you from a few parts of the spec then
[16:57] <jamespage> jamiemill: but its still a PITA
[16:58] <jamespage> hmm - just realised I wished myself goodluck rather than jamiemill - doh!
[16:59] <jamiemill> ha ha - didn't notice
[17:00] <xibalba> hey folks, would any of you have a moment to help me out with a bonding issue?
[17:00] <xibalba> my bonds are finally showing in ifconfig thanks to ppetraki , however the status is showing down.
[17:11] <ppetraki> xibalba, well, what does ifenslave say about it?
[17:12] <xibalba> you know i haven't installed that yet, let me reconfig eth3 and install that
[17:17] <xibalba> ppetraki , ok time to figure out how to use this
[17:17] <xibalba> resetting the box , since i reconfigured eth3 to have a WAN ip so i can route out
[17:17] <xibalba> i'm hitting this box via ipmi only right now
[17:18] <ppetraki> xibalba, you need that to make bonding function....
[17:25] <xibalba> hey ppetraki , sorry i just lost internet. had to run downstairs and fix it
[17:26] <xibalba> ppetraki , oh i wans't aware you actually needed ifenslave to make the bonding work, i thought it was only for admining, and was required on version of ubuntu older than 10.0.4
[17:29] <xibalba> hey ppetraki , where can i ship a case of beer to you "?
[17:30] <ppetraki> xibalba, it's really nothing.
[17:30] <xibalba> not to me buddy :)
[17:30] <xibalba> thank you thank you, many times
[17:30] <xibalba> been at this for a week
[18:27] <MrUnagi> when sending mail to an account on my server i get mail undeliverable, how do i troubleshoot this
[18:40] <CrazyGir> hello!
[18:41] <CrazyGir> I have a vm server I would like to forward certain ports to specific vms sitting on an internal subnet. would this be donw with ufw? or ufw & iptables?
[18:42] <patdk-wk> ufw is nothing more than a simple iptables rule maker
[18:44] <CrazyGir> sure, so I guess my question is.. can ufw be used for NAT definitions, or do you have to get dirty with IP Tables?
[18:44] <alamar> iptables are dirty?
[18:44] <CrazyGir> alamar: have you ever used pf?
[18:44] <alamar> yes
[18:44] <CrazyGir> so you should know what I'm referring to :)
[18:44] <jdstrand> CrazyGir: ufw can be used for NAT, just not with the cli command, so you need iptables knwledge. see 'man ufw-framework' for details
[18:44] <alamar> I still don't think of iptables as dirty
[18:44] <CrazyGir> ufw exists for the same reason :P
[18:45] <alamar> I do not care about strange abstractions I have no use for :p
[18:45] <CrazyGir> sure, masochism is acceptable, I have no issue with that, but not my choice ;)
[18:45] <CrazyGir> I'll take a read jdstrand, thanks
[18:48] <CrazyGir> alamar: these conversations usually include some element of straight up opinion, but I don't think there is an interface/system in linux that is as complex and UNREADABLE as iptables (with the same breadth of use)
[18:48] <alamar> well I do not think of it as unreadable
[18:48] <alamar> and I think everything about desktops today is way more complex
[18:49] <alamar> (at least for me)
[18:49] <CrazyGir> hah
[18:49] <CrazyGir> I would prescribe OpenBSD to you for a good year ;)
[18:49] <CrazyGir> that'd fix you right up :)
[18:49] <alamar> I don't have any use for openbsd
[18:49] <CrazyGir> sure, you are probably being paid to keep things complex
[18:50] <alamar> openbsd just lacks a lot of commonly used things
[18:50] <alamar> and as I mentioned desktops are complicated - iptables is easy
[18:50] <alamar> and layering ufw above iptables just causes problems when the setups gets more complicated and you have to manually intervene
[18:50] <CrazyGir> alamar: really? like what?
[18:50] <alamar> like virtualization?
[18:51] <CrazyGir> sounds like you are going along with what folks "say"
[18:51] <CrazyGir> I would agree with you there, but I agree with their reasons for doing so, and honestly, not using virtualization keeps life simple
[18:52] <CrazyGir> anything other than virtualization?
[18:52] <alamar> it does not. it keeps the costs high and causes more complexity for keeping things separated
[18:53] <CrazyGir> sure, so you have setup VM clusters, more than 2 node? on a budget without FC?
[18:53] <CrazyGir> and you would agree that is simple?
[18:53] <CrazyGir> and again, anything other than virtualization?
[18:54] <alamar> CrazyGir: yes I have setup virtualization clusters with more than 2 nodes. and yes it is simple
[18:54] <alamar> and I was not talking about clustering
[18:54] <CrazyGir> *vm clustering
[18:54] <alamar> (I don't know if openbsd has any clustering capabilities)
[18:55] <CrazyGir> what did you do for storage?
[18:55] <alamar> depends
[18:55] <CrazyGir> I would be thrilled to hear about your "simple" setup :)
[18:55] <CrazyGir> as I was beginning to believe there wasn't one :)
[18:55] <CrazyGir> back to ubuntu for a moment: if you update /etc/ufw/before.rules, how do you make them take effect?
[18:56] <jdstrand> sudo ufw reload
[18:56] <CrazyGir> w00t
[19:00] <CrazyGir> alamar: no? I'm really not being feticious, I am really looking for something simple there
[19:01] <CrazyGir> honestly, I have yet to find an OS that was as simple to setup, as clean and uniform to admin, and a joy to work with, all while being truly open, free, and secure, as OpenBSD
[19:02] <CrazyGir> so I don't try to incite rioting, but I am really left scratching my head when someone says iptables is simple or readable
[19:09] <alamar> CrazyGir: simple for what? distributed storage? iscsi or fc - clustering? pacemaker - virtualization? depends. And yes most of this stuff is easy to deal with.
[19:10] <zul> SpamapS: can you accept the landscape-client sitting in proposed for lucid
[19:33] <SpamapS> zul: will take a look shortly
[19:33] <zul> SpamapS: thanks
[19:53] <alamar> CrazyGir: other things openbsd lacks are besides the very minimal amount of software in the base system, the limited maintained amount of ports and things like long support cycles (5 to 9 years) - technically there are things missing like drbd, i don't know how the situation is with fc or iscsi or how good the capabilities of a logical volume manager are, high availability clustering and of course virtualization - which really is a big deal, ...
[19:53] <alamar> ... virtualization is really necessary for a whole lot of reasons (saving space, power, hardware ressources(or using them more effeiciently), reduced managing costs, security considerations among many many others). openbsd does not even have a good os-level virtualiziation which is a really nice thing if you want to really separate services on your system.
[19:59] <CrazyGir> alamar: that would be because the devs know the inherent security risks virtualization poses, see their write ups for details
[20:00] <CrazyGir> and I'd be curious what storage clustering tech (low-budget, no FC) you found so simple
[20:03] <alamar> CrazyGir: why low budget? you can use drbd for example. you conveniently dismiss other points. and why openbsd does not have any virtualization is none of my interest. it does not offer any capabilities for virtualization which is what counts.
[20:04] <CrazyGir> I don't have 20k for FC :)
[20:04] <alamar> change your job then. use iscsi, drbd or nfs or whatever fits your usecase
[20:04] <CrazyGir> i didn't find drdb reliable or easy to configure
[20:05] <alamar> it really is easy to configure
[20:05] <alamar> and depending on the protocol you use it IS reliable
[20:05] <CrazyGir> again, my "standards" for these things are set from having used BSD for so long
[20:05] <alamar> you can use it with etherchannel/trunking
[20:05] <CrazyGir> alamar: split brains are too easy to trip
[20:06] <alamar> with multiple links it is very unlikely
[20:06] <CrazyGir> and you are correct about iSCSI in OpenBSD, but that is because no one has really forked up the hardware to make it happen
[20:06] <alamar> also you can use drbd with pacemaker to deal with split brain situations
[20:06] <CrazyGir> we were
[20:06] <alamar> CrazyGir: the reasons do not matter. what matters is the lack of something.
[20:06] <CrazyGir> the lack of something?
[20:06] <CrazyGir> I'm not sure I'm following you there
[20:06] <alamar> lack of virtualization for example.
[20:07] <CrazyGir> overall I think we agree, except on what we consider simple or reliable
[20:07] <CrazyGir> eg, I imagine you consider the linux kernel as something reliable
[20:07] <alamar> CrazyGir: what is unreliable about it
[20:09] <CrazyGir> alamar: I could list off quite a few things I imagine all of us have faced, but it is like asking a windows guy if windows is reliable, they'll tell you either yes or mostly. But until their perspective has been broadened to include experience with systems that are more reliable, they won't see it otherwise
[20:10] <alamar> CrazyGir: I ran openbsd for many years
[20:10] <CrazyGir> I would not consider the linux kernel something I want to rely on (which makes virtualization all the better)
[20:10] <alamar> linux even longer
[20:10] <alamar> I really do not know what you mean by unreliable
[20:10] <alamar> I experienced the environments rhel or sles give me as very reliable
[20:11] <CrazyGir> that was my point, we have different concepts of these things (reliability & simplicity)
[20:11] <alamar> so please elaborate what you mean by reliability
[20:11] <alamar> and why or what part of linux kernel is not
[20:11] <CrazyGir> I do not trust the linux development cycle, eg look at the number (and severity) of bugs that come out on a new release
[20:12] <CrazyGir> this even spills over into distro's dev cycles and practices
[20:12] <alamar> CrazyGir: do you use -current on a server?
[20:12] <alamar> (production)
[20:12] <CrazyGir> no, release + patches
[20:12] <alamar> CrazyGir: so does nobody with linux
[20:12] <CrazyGir> I have _no_ idea how a ubuntu system can be automatically updated, reboot, and reliable break grub
[20:13] <alamar> rhel has 5-7 years support time and stays with the same kernel
[20:13] <alamar> (it backports a lot of stuff of course but it remains the same kernel)
[20:13] <CrazyGir> I'm not talking about distros, we were talking about the reliability of the linux kernel itself
[20:13] <alamar> well then again openbsd-current is not reliable
[20:14] <CrazyGir> it is far more reliable than linux dev trees, but AGAIN, we're considering kernel RELEASES
[20:14] <CrazyGir> not rc or betas
[20:14] <CrazyGir> in anycase, we're seeing these things differently
[20:15] <CrazyGir> it has been good talking, and I agree with many of your points, but I think we give a different level of care to these things. I must get back to work
[20:15] <alamar> CrazyGir: nobody uses all the new releases on a production server. (just because they pump out a new version once in a while does not mean everybody runs and uses them - after a considerable amount of time though distributors will consider them for a release after they have proven reliable and stable)
[20:16] <alamar> it's like -current but from time to time they take snapshots and call them 2.6.xy or 3.x in the future
[20:20] <alamar> (actually one might argue that this is actually providing better reliability because after a kernel was released it will be used by millions of people who run rollingrelease or desktop distributions before it will ever get into server-distributions ;) with openbsd you are more or less forced after 1(!) year (IIRC) to use a newer release (or run without security updates))
[20:24] <alamar> CrazyGir: I enjoyed it too, but I still don'T consider openbsd fit as serversystem. I like it as a router though (when I have to use softwarerouter)
[20:37] <astrostl> openbsd is still my favorite unix-like os.  i don't care about it not being a vm hypervisor, as the 'real' ones (vmware, xenserver, etc.) bring their own along.
[20:38] <alamar> astrostl: short support periods also suck and I mentioned a few other things
[20:39] <astrostl> i can understand not wanting to constantly feel behind the 8-ball in terms of upgrades.
[20:40] <astrostl> BUT, i ran a production server from 2.x through 3.x without ever rebuilding it.  years and years of the same system.
[20:41] <astrostl> RHEL 3 to 4 is basically a gut rebuild, so is 4 to 5, so is 5 to 6.
[20:42] <astrostl> ubuntu LTS has in-place and very manual major version upgrades, but i found it painful and that it left a lot of cruft.
[20:42] <alamar> astrostl: this is something I also do not like (having practically to do a new install when moving from X to Y) but the long support time remedies this
[20:42] <astrostl> all my obsd upgrades were done with a trivial shell script that fetched tarballs and extracted them live on the fs.
[20:43] <astrostl> and it's easy to diff the tarball contents against present fs contents to detect cruft.
[20:43] <astrostl> so in practice, running a supported system for years on end was something i found easier with obsd than rhel.
[20:43] <astrostl> (and ubuntu, although the last in-place upgrade i did was 6 to 8 so it may have improved)
[20:44] <alamar> I didn't do any real lts->lts upgrades as of yet (lots will happen next year) (so I'm excited how that will go)
[20:44] <astrostl> if my experience was any guide, get ready for about 1000 interactive prompts :)
[20:45] <alamar> it will be a fun year.. or NOT ;)
[20:45] <astrostl> current org did an 8 -> 10 migration and it was a straight up reload
[20:45] <astrostl> we have hundreds of ubuntu LTS workstations/servers
[20:49] <ScottK> You can use preseeding to avoid most of the prompts. If you have a lot of systems, it's worth it to invest in figuring out how to do this up front.
[20:58] <RoAkSoAx> zul: writing the email now
[21:10] <Guest59162> hello everyone, could someone help me with a combining NAT and SOCKS?
[21:32] <RoAkSoAx> zul: email sent
[21:32] <RoAkSoAx> have fun
[21:32] <zul> RoAkSoAx: cool beans...
[21:44] <CrazyGir> am i correct in my understanding that the following line added to /etc/ufw/before.rules would forward tcp traffic received on br0:9000 --> 192.168.1.10? -A PREROUTING -i br0 -p tcp --dport 9000 -j DNAT --to-destination 192.168.1.10
[22:03] <CrazyGir> maybe?
[22:05] <xibalba> what is UFW ?
[22:05] <xibalba> i only use pf
[22:09] <CrazyGir> xibalba: yea, I sometimes wish pf were available on linux
[22:09] <xibalba> what're you trying to do?
[22:09] <CrazyGir> but that would conflict with too much
[22:09] <xibalba> pf > iptables in my opinion
[22:09] <CrazyGir> xibalba: forward port X from a VM server to VM Y
[22:10] <xibalba> is this passing on a bridge or router or ....
[22:10] <CrazyGir> it wouldn't be fair to compare pf & iptables
[22:10] <xibalba> no, but i started in the bsd world so to me anything bsd > linux =P
[22:10] <CrazyGir> xibalba: no, it's port X on the VM SERVER to one of its VMs
[22:10] <xibalba> except the driver devleopment1
[22:10] <CrazyGir> hah
[22:10] <CrazyGir> xibalba: sure, that would be due to corporate investment though
[22:10] <xibalba> CrazyGir , i think you should take a look at virtualizing pfSense on your VMWARE box
[22:10] <CrazyGir> and yea, I would agree, though I started with linux and then went to BSD
[22:10] <xibalba> and using that to control the natting to your VM environment
[22:11] <xibalba> i've seen alot of peopledo it and have had good luck with it
[22:11] <CrazyGir> I didn't say VMWare at all
[22:11] <CrazyGir> that isn't what I'm trying to do
[22:11] <CrazyGir> I'm simply trying to ensure specific ports on the vm server go to specific IPs (the server's vms)
[22:12] <CrazyGir> it doesn't need to be more complicated than that
[22:12] <xibalba> hmm after i write tihs email i can pay attention
[22:12] <xibalba> hang on
[22:12] <CrazyGir> ha :)
[22:12] <CrazyGir> I'll be here
[22:14] <xibalba> so you have a VM box, running some sort of hyper-visor and virtual mahcines under neath the hyper-visor
[22:14] <xibalba> yeah?
[22:14] <xibalba> forgive me if i'm delayed, i'm at work too
[22:15] <CrazyGir> don't worry
[22:15] <CrazyGir> this is really a more simple question, you can easily ignore the VM bits
[22:16] <CrazyGir> the VM bits mean that doing something like pfsense is unnecessary
[22:16] <CrazyGir> what I need to do is forward tcp from port X on an interface (on a ubuntu server) to another ubuntu server (specific IP)
[22:16] <xibalba> oh like Redirect ?
[22:17] <xibalba> you know to be honest with you i'm thinking pf syntax when you're describing this, i wont be of any help w/iptables
[22:18] <CrazyGir> :P
[22:18] <CrazyGir> I'm asking mostly for confirmation (to any gurus who would know) as what I'm seeing is not what I would expect
[22:19] <CrazyGir> but I'm unsure, it could be something else
[22:27] <quentusrex> Anyone know where mdadm logs to?
[22:28] <qman__> it doesn't log, that I'm aware
[22:28] <qman__> the current status is always in /proc/mdstat
[22:28] <qman__> and it will email root on failures
[22:29] <quentusrex> I have what appears to be a device failing, and resyncing
[22:29] <quentusrex> but I am getting no messages from mdadm.
[22:29] <qman__> then root's mail is probably not set up to mail to you
[22:30] <qman__> or you may not have an MTA installed
[22:31] <qman__> personally, I don't wait on mdadm to fail a disk, I have smartmontools mail me whenever bad sectors show up
[22:31] <quentusrex> qman__, I'm trying to track down a high load on idle issue
[22:31] <quentusrex> and it seems I'm getting millions of ahci interrupts
[22:31] <quentusrex> and the only thing I can think of that causes that many interrupts in a short span is a drive resyncing.
[22:32] <qman__> cat /proc/mdstat
[22:32] <qman__> it will tell you if it is
[22:32] <qman__> and if it has failed any disks
[22:32] <quentusrex> it reports everything is fine, but the disk order on a raid 1 array has changed.
[22:32] <xibalba> adios ppz, and thanks for the help ppetraki
[22:33] <qman__> disk order isn't important, that's just whatever order it happened to load them in
[22:33] <qman__> though it is possible you have a failing disk
[22:33] <qman__> mdadm doesn't fail a disk until it simply can't write to it anymore
[22:33] <quentusrex> I'm getting about an 8 load on idle, with the only thing I can track down as active are the disk interrupts.
[22:33] <qman__> install smartmontools if you haven't already and do a smartctl -a on each disk to check for bad sectors
[22:34] <qman__> also check dmesg for disks doing weird stuff on a kernel level
[22:34] <quentusrex> yeah, nothing in that file after boot
[22:35] <quentusrex> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/815540
[22:35] <uvirtbot`> Launchpad bug 815540 in linux "Server becomes unresponsive after spawning 16 ksoftirqd processes" [Undecided,Confirmed]
[22:35] <quentusrex> I have two servers nearly identical setup. One works great the other... doesn't.
[22:36] <quentusrex> The only difference hardware wise is the size of the partitions, and the failing one has a seagate drive and two WD drives, where the working on has 3 WD drives.
[22:38] <quentusrex> qman__, http://paste.ubuntu.com/652024/
[22:38] <qman__> brand really isn't important, all the manufacturers make crap these days
[22:39] <quentusrex> Raw Read Error rate seems a bit worrisome.
[22:45] <qman__> if my seagate is any indication, you have nothing to worry about there
[22:45] <qman__> 1 Raw_Read_Error_Rate     0x000f   047   045   006    Pre-fail  Always       -       70516587
[22:48] <fluvvell> Its the interpretation of the figures that is important. The Desktop Disk Utility has a nice page for a clear view of smart data.
[22:48] <qman__> said drive has a power on time of ~3.9 years
[23:06] <fluvvell> qman__, I've yet to really figure out the significance of normalised and worst. e.g. One of my drives has 3.7 years of on time, normalized and worst are both 56. Is that years??
[23:50] <samuelkadolph> Anyone familiar with upstart? I'm wondering when exactly startup is emitted because I'm writing a script and it works until I add >>/var/log/foo.log to the exec line. My guess is that the fs isn't ready yet but I doubt that.