/srv/irclogs.ubuntu.com/2011/10/14/#ubuntu-kernel.txt

r3pekhey guys00:14
r3pekanyone know if anything changed on 3.0.0 relating to barriers/ext400:15
r3pek?00:15
LLStarkshi apw or ogasawara, i'm curious as to why the mainline repo uses a hardy toolset. i02:57
LLStarkshi apw or ogasawara, i'm curious as to why the mainline repo uses a hardy toolset. i'd like to be able to use oot modules02:57
LLStarkssrry for rpt. touchpad screws around.02:58
twbHi, I'm deploying lucid in a bunch of prisons, and for security reasons it has been decided that simply blacklisting drivers (e.g. wifi, USB mass storage) is not sufficient; the .ko files need to be gone.04:34
twbCurrently I'm doing this by rm'ing them, but the number of drivers to remove is growing and I'd prefer to just grab the ubuntu kernel, edit the .config, and "make deb-pkg" or so.04:34
twbShould I start from the debian source package, or from the ubuntu git (bzr?) repo?04:35
ohsixyou might just replace the hotplug/module loader, or do something with udev to not allow access even if they are loaded; if you give privileges to people they'll be able to do stuff04:36
twbI think the main concern is that if they manage to escalate to root privileges, they would be able to undo e.g. /etc/modprobe.d blacklists04:37
ohsixthey will also be able to do anything else, like build another module, replace the entire kernel from the repo; anything04:38
twbAll the desktops netboot from a read-only NFS export, so it's not a big deal management-wise to have a custom kernel package in that NFS export04:38
ohsixthere's already policy to control access to stuff, and it's not in the kernel04:39
twbohsix: What are you talking about?04:40
RAOFtwb: There are fancier ways of doing things, but you should be able to grab the archive kernel source package, make a change, and rebuild it.04:47
RAOFtwb: You've seen things like https://wiki.ubuntu.com/KernelTeam/GitKernelBuild and https://help.ubuntu.com/community/Kernel/Compile ?04:50
twbRAOF: I've been flipping through the /KernelTeam subpages as I spoke; before today I'm only familiar with the Debian kernel handbook and misc. upstream usage04:52
* twb reads those specific subpages04:52
twbThank the gods you aren't using bzr for ubuntu kernel patches; I'd have gone insane04:58
twbRAOF: is make-kpkg still du jour for building kernels?  I thought everybody had moved on to "make deb-pkg" ?05:09
RAOFtwb: When I've interacted with the kernel packages I've used neither; fakeroot debian/rules binary-generic has been my invocation of choice.  Often with some environment variables set.05:10
twbHum, OK05:10
twbI think I will just try deb-pkg anyway and see how I go05:10
twbAhaha, I git cloned into a setgid dir, so now dpkg refuses to operate because debian/ is 275506:09
twbHm, I just realized the desktops are still stupidly running i386.  So let's change "make deb-pkg" to "linux32 make ARCH=i386 deb-pkg"...06:14
twbBleh, no joy06:15
keestwb: you can just set /proc/sys/kernel/modules_disabled07:26
keestwb: see https://wiki.ubuntu.com/Security/Features#block-modules07:26
keesno need to do anything crazy with recompiled kernels :)07:27
RAOFBut surely that can be disabled if someone's already successfully done a priviledge escalation to root?07:28
ohsixif you get root all is lost, most would say that having physical access means you already lost :>07:29
RAOFI guess you can always mount some writable storage, grab your kernel module, and insmod.07:30
ohsixyep07:31
twbkees: that would prevent other modules being loaded tho07:36
twbkees: like, what if they plug in a USB keyboard afterward07:36
twbThe prisoners have physical access to their desktops, but what they can bring into the prison is (obviously) controlled, e.g. they're not going to be allowed to walk in with a live CD07:37
twbThe BIOSes are also patched to prevent booting from anything but the network.07:38
twbAnd yeah, I grant you that if they get root I'm pretty fucked, but defense in depth dictates that I at least try to slow them down07:38
ohsixyou might want to whitelist things then07:39
ohsixwith something like apparmor or selinux07:39
twbMm07:39
ohsixer nm you already mentioned ubuntu, apparmor :]07:39
ohsixthere are a lot of ways to go from x -> y though, it will still be hard to be worthwhile07:40
twbapparmor is on there, but I haven't riced it up yet07:40
twbI definitely should, I just haven't gotten around to it yet07:41
ohsixif something comes up apparmor will give you pretty responsive policy control too07:41
keesRAOF: /proc/sys/kernel/modules_disabled ? no, it's one-way07:44
keesRAOF: with modules_disabled set, insmod will not work.07:44
twbkees: as in until reboot?07:44
keestwb: I thought you said you wanted no modules to load? I'm confused.07:44
keestwb: right07:44
twbI want specific classes of devices to not work07:44
keestwb: until you set it again. on my colo I load usb, usb-hid, usb-storage, then set modules_disabled.07:44
twbe.g. no wifi, ever07:44
keesaaaah07:45
twbBut it does sound like a good idea07:45
twbI can probably just dictate that e.g. USB keyboards MUST be plugged in before booting07:45
twbAnd set that in e.g. rc.local07:45
keesthe plug-in will be fine as long as the module is loaded07:45
keesjust load usb and usb-hid before blocking modules. basically take the whitelist, load them all, then block modules.07:46
keesI'm still suspicious of the overall effectiveness of this in the face of physical access, though :)07:46
keesthe BIOS can't be interrupted to allow init=/bin/bash or anything silly?07:47
twbWell, pxelinux is configured not to allow that, and the bioses are patched (by the hardware vendor) not to allow editing of the boot order07:47
twbThey could probably pull open the case and set a jump or reflash the bios or something, if they were clever07:47
twbBut remember this is inside a prison07:48
* kees nods07:48
twbAlso most of the prisons are coming from running Windows desktops, so the simple fact that e.g. there's no hard disk, that rebooting puts them back to a "clean" version of the OS, has them completely stoked07:48
keesyeah07:49
twbThis is mostly just me being super pedantic07:49
twbLike I try to make it so the easiest way for them to run scripts, is to have to write them in oo.org, because they can't get xterm or tty1 or gedit07:49
ohsixand disable alt+f2, it's really a dead end though07:50
twbohsix: yeah, that one is easy, you just write /etc/gconf.blah/mandatory.xml07:51
twbIf it was *me* attacking and I had all year I could probably do some damage, but the tech-savvy prisoners tend to be watched more closely, etc.07:51
gentoo_drummerayone here?09:08
gentoo_drummeranyon*09:08
awilkinsHello ALSA driver people10:17
awilkinsMy latest problem ; any sound directed to the rear right channel is actually playing in rear left10:17
aquariusI'm getting frequent-ish kernel panics on my HP microserver -- there have been three in the last 24 hours. I'm currently running memtest on the machine, but it's not showing any memory errors so far. It's running Ubuntu Server 11.04. http://ubuntuone.com/4NvFGyH0YdJS17wpDEl2fI is a picture of the most recent. What's the best way to get information to you guys?10:34
aquariushttps://help.ubuntu.com/community/DebuggingSystemCrash suggests taking a photo, as above; should I just attach that photo (and others if/when it panics again) to an LP bug?10:35
smbaquarius, basically yes. Maybe you could get another photo (which is slightly more readable) when it happens again. But otherwise open the bug with "ubuntu-bug linux" and then attach it to the generated report10:50
* aquarius laughs10:51
aquariusno offence taken at my poor photgraphy skills :)10:51
aquariusI shall file a bug10:51
smbaquarius, Appreciated and I know it can be a pain. :)10:51
smb(meaning to get a readable result from a photograph)10:51
aquarius(the machine's headless, so I'm not sure ubuntu-bug will work, but I'll file it the hard way :))10:57
_rubenso you took a picture of a headless machine's screen? ... interesting :P11:42
=== BenC__ is now known as BenC
apwawilkins, file a bug with ubuntu-bug audio and that will get all the info needed to work out how audio is routed12:57
Q-FUNKapw: is 'ubuntu-bug audio' documented anywhere? the man page has nothing about it, yet this would seem to be an eminently useful feature.12:59
apwa good question indeed, have no idea, i only found out yesterday, i'd been using ubuntu-bug alsa-drivers until then (when it stopped working)13:00
Q-FUNKok13:00
Q-FUNKbtw, any news about why vesafb disappeared from mainline's standard builds?13:01
awilkinsapw, Hello again ; I had a look with HDA_analyzer and codec-graph but it doesn't really illuminate the issue since the problem is that half of a stereo pair is going awry ; they only seem to deal with stereo pairs and not individual channels13:01
awilkinsUnless I'm missing something13:01
apwhow are you directing to a specific channel13:01
apwand is the other half working ?13:02
awilkinsapw, The problem is that the audio for the right rear channel is ending up in the left rear channel13:02
apwand the audio for the left rear ?13:02
awilkinsAbsent13:02
awilkinsOh, no left is fine13:02
awilkinsSorry13:02
apwso left goes left, and right goes left, and right output has ?  nothing ?13:03
awilkinsYup13:03
apwnow that is odd indeed, could the channel be in mono mode ?13:03
awilkinsI'll fire up HDA_analyzer again13:03
ppisatimdeslaur: how do i turn off a cve for a branch? previously we had to do it via bzr/cve-tracker, is it still like this? or are cves connected to the corrispective lp bug?13:06
awilkinsI'm not the only person to notice but the only mentions I could find were quite old13:06
mdeslaurapw: could you answer ppisati? I'm not sure where and how you guys do it...13:08
ppisatipreviously we did it via bzr13:08
ppisatibut i heard there was some work toward integrating cves and lp bug13:08
janimohello kernel people. I am maintaining the linux-ac100 package and packaging git tree which is now mirrored on kernel.ubuntu.com/git . Shall I mirror the upstream branch I am pulling from there as well?13:10
awilkinsapw, D'oh. It was a partially unseated jack ; must have been shorting the right channel with the left13:11
janimomy workflow now is, git fetch + git rebase origin but for others to be able to work from the same git tree, they'd need to know where upstream is13:11
apwawilkins, heh that seems plausable13:19
apwjanimo, why would they need the upstream tree ?13:19
apwif they are working relative to your tree, your tree is the tip that jumps about that they need to rebase their stuff against ...13:25
ppisatiapw: so, if i want to mark a kernerl release as "not affected", how do i do it? still via bzr and cve-tracker?14:03
ppisatiapw: i mean, cve-wise14:03
apwppisati, in theory you should be able to mark it invalid in the bug and it should get copied over14:05
ppisatiapw: ok14:05
ogra_apw, hmm, i saw several users comp├člaining their PS/2 keyboards stopped working on x86 installs ... did we drop any config option here ?14:16
ogra_seems the same users had them working before upgrading from natty 14:16
ogra_as well as before a reinstall14:16
ppisatiogra_: i'm usiong a ps2 keyboard and, so far, everything is fine14:17
ogra_ppetraki, awesome 14:17
ogra_so its om their side, great14:17
ppisatiogra_: in the past, it has happened that after a bit my keyboard suddenly died14:17
* ogra_ doesnt even have such HW around anymore to confirm such stuff14:17
ppisatibut, so far, it's more than a week with no problem14:17
ppisatii mean14:17
ppisatimore than a week since i upgraded to oneiric on this box14:18
ppisatiand it's ok14:18
=== firewave is now known as FireWave_Job
=== JanC_ is now known as JanC
janimoapw, re upstream tree. In case they want to roll a new deb keeping the same packaging but fetching some more upstream commits before17:12
janimothey can do it now I guess but they need to define their remote17:12
SinnerNyxi was directed here from #fluxbox. I am running ubuntu-server and installed fluxbox with xinit. when I exit fluxbox the tty appears as: http://tinypic.com/view.php?pic=2s690dx&s=717:16
bjfogasawara, whats the timeframe for uploading the first precise kernel ?17:19
* bjf just remembers she's gone today17:20
ckingprecisely17:20
bjfyou've been waiting to throw that out :-)17:21
SinnerNyxthoughts?17:34
=== jdstrand is now known as jdstr
=== jdstr is now known as jdstrand
InsyteI would like to backport (or otherwise obtain) a karmic/lucid kernel to hardy in order to get the fix for this bug:  http://goo.gl/XoFwY18:14
InsyteIs there a good way to go about this process other than just installing the kernel package from the newer release?18:15
InsyteOne the one hand, it seems like it should be pretty simple as I've routinely replaced kernels on other distros.  But I'm worried about identifying user-space incompatibilities.18:16
jjohansenInsyte: yep userspace problems, and external drivers (dkms, ...) are the big problems18:17
jjohansenInsyte: you can try it, and it should likely work, but know that you will need an updated apparmor userspace in hardy as well, if you do this18:18
jjohansenInsyte: if this bug is affecting hardy, it should probably be an SRU fix18:19
InsyteWould you recommend just installing the package from Lucid and backporting the userspace stuff?  Or would there be any reason to recompile the kernel on a hardy box?18:19
InsyteAnd yeah, the bug is affecting Hardy.  We can reliably reproduce.  Unfortunatley Apparmor changed significantly between hardy and the release the patch was written for, so the patch won't apply to a 2.6.24 kernel.18:20
jjohansenInsyte: the reason to compile on hardy would be if there are any modules being compiled on the box, dkms does this (not used in hardy), I can't remember the module solution for hardy18:20
jjohansenas long as the kernel and modules are compiled with the same tool chain it doesn't really matter whether its the same as the rest of the system18:21
InsyteOK, cool.  Should I open a new bug report since 415632 is marked "fix released"?  Or would it make more sense just to reply to the same bug?18:21
jjohansenInsyte: well, that is interesting, the bug specifically mentions it being a regression from jaunty which came after hardy18:22
jjohansenInsyte: please open a new bug, and post it here, and I will take a look at it18:22
InsyteCool, thanks.18:22
jjohansenInsyte: also there is a #apparmor channel on irc.oftc.net, and an apparmor ml (apparmor@lists.ubuntu.com) if you are running into apparmor specific problems18:23
InsyteThanks.  Was your patch accepted upstream?  If so, probably no point in bringing it up with them.18:25
jjohansenInsyte: yes its upstream.  I didn't suggest those specifically for the patch but, if you say try a new kernel and run into problems with the apparmor user space not loading, or some such.  As that would be a better place to discuss that kind of thing than here18:27
* jjohansen is in both places18:27
InsyteAh, I understand.  Thanks.18:27
Insytejjohansen: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/87454419:17
ubot2Launchpad bug 874544 in linux "mkdir failure on NFS with Apparmor" [Undecided,New]19:17
jjohansenInsyte: okay I'll take a look19:17
InsyteMuch appreciated!19:17
InsyteI am happy to provide any additional details I may have missed.19:18
jjohansenInsyte: hopefully I will have a kernel for you to test this afternoon, if I need any more info I will ask for it in the bug19:38
InsyteAwesome, thanks!19:39
jjohansenInsyte: do you have any log messages with info about the reject?19:48
jjohansenThis is definitely a different than bug #41563219:49
ubot2Launchpad bug 415632 in linux "apparmor not properly handling file deletion on NFS" [Medium,Fix released] https://launchpad.net/bugs/41563219:49
Insytejjohansen: When called from our PHP code, it logs "No such file or directory"19:51
jjohansenInsyte: is there an apparmor reject in dmesg19:52
jjohansenor in the No such file or directory what is logged?19:52
InsyteNot a reject, no, but a "info="Failed name resolution - object not a valid entry""19:52
Insytetype=1503 operation="inode_mkdir" info="Failed name resolution - object not a valid entry" error=-2 requested_mask="w::" denied_mask="w::" pid=7283 profile="/usr/sbin/apache2//www.example.com" namespace="default"19:53
jjohansenInsyte: thanks19:54
InsyteAll PHP logs is "No such file or directory", then a reference to the code that called "mkdir()".19:54
=== yofel_ is now known as yofel
InsyteSo I'm attempting to install a Lucid kernel on one of my Hardy test machines:20:39
Insyte# dpkg -i linux-image-server_2.6.32.34.40_amd64.deb20:39
InsytePreparing to replace linux-image-server 2.6.32.34.40 (using linux-image-server_2.6.32.34.40_amd64.deb) ...20:40
InsyteUnpacking replacement linux-image-server ...20:40
Insytedpkg: dependency problems prevent configuration of linux-image-server:20:40
Insyte linux-image-server depends on linux-image-2.6.32-34-server; however:20:40
Insyte  Package linux-image-2.6.32-34-server is not installed.20:40
InsyteThat seems... circular.20:40
ohsixyou're installing the .40 image which linux-image-server doesn't like?20:41
InsyteOh, hmmm... I think I see the problem.20:42
InsyteYeah, I inadvertently grabbed the virtual package.20:42
niceplacehi23:40
niceplacei want to compile the 3.1 linux kernel23:42
niceplacei know it is rc but i need it23:42
niceplaceis it too dfficult for a n0ob ?23:42

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!