[01:12] There is a easy way to get a ubuntu work as wireless acess point? [01:12] like a methapackage for the task or something :) [01:18] <_Techie_> is there a way to have ubuntu remove a list of packages using apt-get purge when one/some of the listed packages are not installed [01:28] <_Techie_> is there any way to remove all ubuntu-desktop packages so that im left with ubuntu-minimal for a server im setting up, the only disc i had on hand was a desktop disc [01:28] _Techie_, the kernel is different from server to desktop [01:29] _Techie_: it would be better to install from the Server CD in the first place, but yes, you can remove packages you don't need [01:30] kristianpaul: you just need hostapd [01:30] kristianpaul: the documentation for it is a bit obtuse, but it's actually reasonably simple configuration [01:32] <_Techie_> twb: are you able to provide an easy way of removing the un necessary packages, the purexfce instructions are a tad outdated [01:32] <_Techie_> thesheff17: i dont need a streamlined kernel, all it will be doing is acting as a dhcp server and router between a LAN and the internet [01:33] _Techie_: broadly speaking, go into aptitude and markauto things [01:34] _Techie_: you'll want to keep ubuntu-standard and -minimal metapackages, and a kernel. Oh, and a bootloader. [01:34] If you get rid of EVERYTHING else, you should still be able to boot, and install packages you do need. [01:34] I would recommend not getting rid of everything else in one go tho -- rather e.g. markauto ?section(metapackages), ?section(x11) and ?section(gnome) to begin with, plus everything in ?section(libs) [01:35] On my own systems I aim for ~i!~M to show only the packages I actually asked for [01:59] <_Techie_> twb: just checking, does ubuntu-minimal require networking and /bin/bash , would hate to accidentaly remove those [02:00] <_Techie_> or ubuntu-standard [02:00] You'd have to really go out of your way to get rid of bash [02:00] Not so sure re. networking [02:00] If you've been using NetworkManager up until now, that will obviously go [02:01] <_Techie_> its base install [02:02] <_Techie_> and it will all be re configured from CLI [02:03] The main stuff for networking will be ifupdown, dhclient and netbase or so [02:03] Assuming ethernet DHCP client [02:03] Currently dhclient is called isc-dhcp-client AFAICT [02:04] If you just pay attention to what you're removing you should be OK [02:05] <_Techie_> well, i just marked a ton of stuff as auto and am hoping for the best [02:05] Like I said, it's safer to do a bit at a time [02:06] <_Techie_> this is odd, i cant htink of what would be reuiring compiz-fusion [02:06] aptitude why compiz-fusion, or hit "r" in the UI [02:08] <_Techie_> okay, i just went nuts [02:08] <_Techie_> either im gonna learn something incredibly cool... or im gonna be back at square one within half an hour [02:08] <_Techie_> maybe if this doesnt go too well, ill burn a server disc [02:10] <_Techie_> okay, i still havent been completely locked out... maybe im not trying hard enough [02:29] <_Techie_> twb: just rebooting now, hopefully everything still works [02:31] You're still here, so I guess you had the sense to IRC from another box [02:33] <_Techie_> this aint my first rodeo [02:35] <_Techie_> okay, things seemed to have worked to a point [02:36] <_Techie_> some things are stopping some X11 packages from being removed, and im not going to go chasing after them [02:37] Wise move [02:37] If it's just some libraries, it doesn't hurt to leave them installed [02:38] anybody know how change password trough command line for ochestra web browser interface? [02:39] ttt: where is it stored? flat files, ldap? [02:40] well [02:40] ok [02:40] in /etc/cobbler under u 11.10 server [02:41] user.conf ? [02:41] Dunno, then [02:41] theres any command line promt program jsutto change it i jsut tried the one i configured and the login page jsut comebakc to the same login page.. [02:42] ttt: sorry, I don't use that software, and it sounds like a software-specific password [05:43] Right now I'm using google apps. Is it possible to stick my own postfix installation as the 10 priority MX record and have it fallback on google apps? [05:44] depends on what you're using google apps for... if for mail delivery, you'll have to send it to google at some point [05:45] i want to move over to my own server for mail delivery, receive, and transfer [05:45] i've got only one server though, so I'm asking if there's a way to kind of back up the receiving end [05:46] In theory yes; in practice depends what google does [05:46] Certainly my MTA acts as a secondary for some of my customers, accepting mail on their behalf and relaying it to them when they come back online [05:47] http://pastie.org/2786323 here's my new mx [05:47] is this worth a try? [05:48] Christ, can't you just give it in dig notation? [05:48] sorry, 1 sec [05:49] http://pastie.org/2786328 [05:52] Thanks, although I don't know the answer, since I don't use google :-) [05:53] What concept should I research so I can better understand this problem? [05:53] Though it is always a good idea to have a null-mx as first entry and a tarpit as the last entry [06:30] why would update-rc.d say this Adding system startup for /etc/init.d/drbd ... [06:30] CrazyGir: because someone ran it? [06:30] when running update-rc.d drbd disable [06:30] ...sorry, didn't expect that linebreak [06:31] IIRC disable isn't guaranteed to continue working; maybe they broke it [06:31] wtf? [06:31] why would that be [06:31] Can't see that mentioned in the sid version of the manpage tho [06:32] So: I don't know why you got that behaviour. [06:32] Are you on lucid, or what? [06:32] hrm [06:32] should be lucid, but this one particular might be running 11.04 - what is the ubuntu way for checking/confirming? [06:33] I would expect uname -a to tell you [06:33] lsb_release -a [06:33] bah, this particular system is natty [06:34] and I'm so going to wipe and reinstall with lucid :) [06:34] I doubt that'll help [06:34] But whatever [06:34] it'll help with a few things [06:34] Granted [06:34] I find 10.04 to be far more stable [06:34] I meant with the issue youmentioned [06:34] yep [06:35] I've found the drbd packages in ntty to be questionable [06:35] I wasn't enthusastic about drbd in the first place [06:35] SANs are hard work [06:35] yea they are [06:35] In the end I just told "you don't really need this, just buy a beefy box and run samba, it'll be less headache" [06:36] I am looking to try out the qlogic-build-it-yourself route [06:36] Well, I've got postfix and dovecot both working. I ended up deleting all my google MX's [06:36] so I have only one 10 MX rec. [06:36] eg, you get a bunch of FC HBAs, run their drivers, have at least 3 systems, and you get your own SAN cluster [06:36] tdignan: dig mx cyber.com.au +short <-- re null-mx + tarpit [06:37] twb: thank you [06:37] Basically just make sure your first one returns REJECT not DROP on 25; and the last one I just use some other guy's tarpit [06:38] Cuts out some of the spammers that don't follow correct MX logic [06:38] so 20 and 30 are your actual mail servers [06:38] Yep [06:38] i'm going to google how to make this null mx [06:38] thanks a bunch [06:38] Actually the same one; the exetel one is the backup DSL line [06:39] That plus an RBL or two, plus greylisting, is about all the antispam we do [06:39] A couple of our users who interact with normal people, and have had the same email address for twenty years, we use crm114 for them, but overall I am against body scanning [06:39] * CrazyGir <3 openbsd's spamd + pf + tarpitting + open-smtpd [06:40] mtaylor: very belated "pong" .. ;) [06:40] ah cool [06:40] I can break out the body scanners here, this is meant to be my own private email for my business [06:40] CrazyGir: I threw out all my ancient obsd and sol routers and just put in a single ubuntu box :-) [06:40] you could have just upgraded them too [06:41] or one [06:41] :P [06:41] sorry, but OpenBSD's correctness and simplicity trump ubuntu anyday - not that ubuntu doesn't have its places or successes, but it fails (miserably) in the correctness/simplicity categories [06:42] Sure but I like a homogeneous network and I didn't want to have to learn those [06:42] indeed [06:42] are you using puppet for that homogenous network? [06:42] Nope, too lazy [06:43] you are so silly [06:43] (to claim laziness) [06:43] puppet doesn't even have a versioned wire protocol [06:43] And the puppet devs respond to every issue with "upgrade to latest version on both ends" [06:43] And of course then you need ruby on every goddamn host [06:43] and that prevents you from simplifying maintaining your homogenous network how? [06:43] If I had 1000 hosts I might bother; I have more like 20 [06:44] And most of them are actually just jails [06:44] still silly, in my opinion [06:44] Shrug [06:44] twb: I think the tipping point for needing something like puppet is around 20 servers actually. [06:44] Have you tried to write a parser for sysctl.conf in puppet? [06:44] there's so much (ridiculous) redundancy in sysadmin work [06:44] Or did you just do what every other bastard did, and just use the exec plugin? [06:44] At that point you're really just using puppet as a glorified clusterssh [06:45] * SpamapS still prefers using OpenBSD for firewalls, as its a nice "air gap" to have a different OS protecting your network. [06:45] SpamapS: I have actual air gaps [06:45] twb: note, Juju is the new glorified clusterssh. :) [06:45] I'm not so advanced, so right now puppet is a glorified fileserver + automating user/package configuration + some specialized scripts for special services [06:45] SpamapS: bwah [06:46] but I believe, once I have configured a system/service/role, I should not be doing it again [06:46] I should be adding to it [06:46] Most of the package configuration I do via .deb from the internal PPA repo [06:46] it's like rewriting an authentication module for your webapp, just cause you are redeploying [06:46] so silly [06:46] And all the jails are based off a local template that has e.g. ldap pre-configured [06:46] :) [06:46] to each and his own [06:46] CrazyGir: I believe you and twb are agreeing on principle, but not on method. [06:47] sounds like it [06:47] I would be more enthusiastic about puppet if I had the impression of *rigour* [06:47] though my principles here also dictate that I centralize the configuration and make redeployment a less-than-one-hour sort of task [06:47] Maybe it's just that I used to work with some puppet employees :P [06:48] twb: if you have others you manage, you can also make them do it! [06:48] hah [06:48] I can deploy a new jail in about five minutes, FWIW [06:48] no, I mean the whole rack [06:48] Most of that is choosing a hostname [06:48] :D [06:49] I'm still working towards that dream, but I'm already pretty close, which is awesome to me, as I've only been working towards that goal for a few months now [06:49] that's why there is a wikipedia article containing a list of names of moon's geographical features [06:49] Most of my customers have one server and a couple dozen windows desktops, so puppet is not an attractive proposition for those [06:49] ah, so the NULL mx is just a way of forcing the MTA to have to go down the list of priorities and try the next one [06:49] ? [06:49] tdignan: yes [06:49] tdignan: it rules out anyone too lazy to try >1 MX [06:50] excellent trick [06:50] And the tarpit nails any anyone who tries to work from the bottom up, which is a common tactic because people often (stupidly) only put anti-spam on the first MX [06:50] hah that still happens? [06:50] SpamapS: well, maybe my advice is old [06:50] SpamapS: lot of greybeards here [06:52] I tend to just have my hosting provider's barracudas as MX's.. and then the @ that resolves to my webserver rejects anything not from those two barracudas. [06:53] SpamapS: hard disks? [07:02] i'm paranoid to just use someone's tarpit: if I do this on my other server: iptables -A input -p tcp -m tcp --dport 25 -j TARPIT -- will that interfere with my ability to send outgoing email from that machine, locally? [07:03] tdignan: is that a separate host from the main MTA? [07:03] yeah [07:03] Should be fine [07:03] It's -A INPUT of course [07:03] I just want to preserve the ability on that host, to be able to shoot off an email [07:03] that's fine, right? [07:03] tdignan: I think so [07:03] awesome, thank you for all your help [07:04] I am new to using linux as a server other than apache and ssh [07:04] twb: no, they are spam filtering appliances [07:04] twb: by far the best I've seen [07:04] SpamapS: bah [07:04] https://secure.wikimedia.org/wikipedia/en/wiki/Barracuda_Networks [07:04] heavily cultivated blocklists [07:04] Haha "spam firewalls" [07:05] Forgive them the terminology.. they really do obliterate anything else I've seen. [07:05] It's based on clamd [07:06] and spamassassin :) [07:06] I'm not a fan of either [07:06] but what you're paying for is their constantly updated and managed blocklists [07:06] Mainly because whenever I ssh into a customer that uses them, 99% of the load is from clam [07:06] SA and clamd are just for the obvious stuff. [07:06] yeah, its an appliance.. its not your problem. :) [07:07] I sell appliances, I know what they look like on the inside :-( [07:07] "Appliance" just means "don't look, cthulu inside" [07:07] hah [07:08] Oh man, or those Thecus NASs. They have everything turned off in busybox, but they still use bash for all their scripts :-/ [10:03] is there something I can install that will give me periodic reports on my system via email? [10:29] hi, I'm trying to do a somewhat difficult installation of Ubuntu Server 11.04 amd64 onto a machine (a Mac Xserve) that has 32-bit EFI firmware only ... someone who wrote up instructions on how to do this suggested "downloading the network installer of your choice in ISO format" (from the Linux distro desired, in my case Ubuntu Server) ... [10:29] I didn't see it on the Ubuntu web site, is there a specific network installer (in ISO disc image format)? [10:30] what I have seen is only this file: [10:30] ubuntu-11.04-server-amd64.iso [10:30] thank you for any suggestions [10:36] http://archive.ubuntu.com/ubuntu/dists/natty/main/installer-amd64/current/images/netboot/mini.iso [10:42] thanks patdk_lap: [10:45] tdignan: logcheck is good, logwatch is handy as well. [11:03] hey all. Anyone know why my server would be showing an open 3128 port attributed to squid-http (when scanned externally) but lsof, /etc/services and netstat don't show anything running? [11:03] [11:17] jasonmsp, either your server is running it and you just don't see it, or something is between your server and what you scanned it with/you scanned the wrong IP [11:18] greppy: ah, thanks for the suggestions. [11:18] * tdignan 's wireless keyboard fails to transmit keystrokes when he turns his fan on :/ [11:19] qman__: thanks. The conclusion i've been coming to is that it is somewhere along the way. I've been using nmap. From a command prompt within the server it shows closed, from my present location it shows open. Is there a way to have nmap find out where the source along the way is? [11:21] well, in order for it to show up as your server, it'd have to be a transparent device like an inline firewall or NAT router, or from your ISP if applicable [11:22] or alternatively it's a backdoor. [11:24] yeah, but nmap is pretty good at application detection, it'd have to be pretty sophisticated to fake being squid [11:30] I've got logwatch installed and I see that it's created a file in /etc/cron.hourly [11:30] I know how to edit user crontabs but have not used the /etc way before [11:30] I'm sorry, I mean cron.daily [11:30] what is the correct way to modify this to make it run every 3-4 hours, instead of daily? [11:31] New bug: #884177 in lm-sensors (main) "fancontrol cannot read its own configuration file" [Undecided,New] https://launchpad.net/bugs/884177 [11:33] New bug: #884173 in lm-sensors (main) "sensors returning a bogus temperature reading" [Undecided,New] https://launchpad.net/bugs/884173 [11:35] nm, found it all in /etc/crontab [11:40] tdignan: logwatch is good for a daily status update, I depend on logcheck for hourly updates of things that I may need to be worried about. [11:47] greppy: cool, trying it out now [11:47] i made a new cron category called cron.quadly [11:48] so stuff can run every 4 hours [13:30] woo, joined UDS plenaries just in time to see sabdfl praise Orchestra :) [13:30] http://video.ubuntu.com/live/ [13:35] SpamapS, and you were just mentioned ;) [13:35] Where do I submit an bug? Getting lots of weird utf characters when choosing german language before login to phpmyadmin in ubuntu 9.10 server [13:36] 9.10 ? [13:36] thats EOL since a year i think [13:37] Oh, ok. [13:37] Is even the server version EOL ? [13:37] it wasnt an LTS, so it goes EOL after 18months [13:38] ok [13:38] (hint: use LTS releases on servers :) ) [13:39] I do now.. But at that time 10.04 wasn't released. [13:39] I'll upgrade it. [13:39] yup, do that [13:40] * ersi hugs 10.04 [13:41] * ersi cuddles 10.04 [13:41] * SpamapS feeds a live mouse to 10.04 [13:43] SpamapS: lol [14:16] <\sh> sander^work, hopefully you don't have any nic bonding configs on your server [14:16] <\sh> sander^work, be sure to read the release notes of lucid before you just upgrade...can be helpful for your dist-upgrade [14:16] ersi: you're getting pretty personal with lucid aren't you ;) [14:17] sorry, can't talk - me and 10.04 is busy ;)' [14:18] * lynxman covers his eyes [14:19] What #channel is the ITSM discussion going on? ubuntu-uds-bonaire1? or something else? lynxman ? RoAkSoAx ? [14:19] ah, cap b [14:19] medberry: I'd say #ubuntu-uds-Bonaire1 [14:20] nod. [14:31] New bug: #884240 in clamav (main) "I'm having the same issue." [Undecided,New] https://launchpad.net/bugs/884240 [14:32] funny bug [14:48] Hey, after I did a release upgrade I got this error with PHP/PDO: SQLSTATE[HY000] [2019] Can't initialize character set UTF-8 (path: /usr/share/mysql/charsets/) [14:48] Am I missing a package? === beerbroy is now known as Hut-Josef [15:36] miceiken: should be in package 'mysql-server-core' [15:37] miceiken: but see http://is.gd/F44c6V [16:00] pmatulis, neither of that worked [16:00] mysql-server-core was already installed [16:03] shang: are you at UDS? [16:04] shang: if you are and wanna lookg fuyrther into the orchestra issue just let me know [16:17] hello [16:18] where can i get help with networking? [16:21] The_Fred: here, if you're using ubuntu server [16:24] pmatulis, I am using ubuntu desktop, but i removed network manager by mistake, and am trying to connect manually [16:25] The_Fred: edit /etc/network/interfaces, see the ubuntu server guide [16:26] when I do iwconfgi wlan1 key restricted XXX it thows: SET failed on device wlan1;invalid argument [16:26] thanks for the pointer pmatulis [16:49] testing Condor, a cluster scheduler, I see it's got downloads for debian 5 or 6 - which one of those would match lucid best? [16:51] huh - seems to be in the repos already... [17:08] anyone here working with compute clusters? === lifeless_ is now known as lifeless [18:09] hm... condor looks like a good switchboard for parallel processing [18:12] condor? Isn't that the old thing that makes fork() possibly end up forking to another server? [18:13] dunno yet - but it seems it's got some nifty features like stopping jobs and migrating them to idle hosts if the host running the job gets some more work, and even resume dead jobs [18:13] seems a bit heavy on the network side, though [18:15] Mosix is the thing that I was thining of [18:17] SpamapS: someone at work was talking about mosix - 'the way to go', but I started checking what open software were available for such a task... [18:17] and since openmosix died three years ago, well... [18:17] Yeah [18:18] I think at this point if you have massive distributed jobs to run, hadoop is the king. [18:18] I thought hadoop was mainly about storage [18:19] definitely not [18:19] HDFS is its default storage bit [18:19] hi all [18:19] but you can store data in Cassandra, or CEPH [18:21] doesn't seem to have the process migration thing that condor has [18:21] or job migration [18:24] SpamapS: seems the parallel computation bit isn't quite ready.... [18:25] uh [18:25] its driving the big data revolution [18:26] RoyK: hadoop is basically destroying traditional enterprise business intelligence .. [18:26] SpamapS: still seems to lack a good scheduler... [18:26] "scheduler" ? [18:26] for compute nodes [18:27] gents, trying to install mysql and am getting errors with CVS and Docdb. I've tried cvs update and it fails. CVS isn't in the package manager. Kind of at stand still right now. [18:27] RoyK: like, so you can let 2 people fight over the same set of resources? [18:27] RoyK: we call that "the cloud" ;) .. [18:27] lickalott: cvs?! [18:28] apparently it's needed for what our plans are for mysql. I'm kind of in and out of the conversation. lemme get some details... [18:29] SpamapS: like if you have a job that will need to spawn 1000 processes across a compute cluster [18:29] lickalott: are you using CVS? [18:29] we are trying to test out a document database and docdb was the first package that he wanted to try [18:29] lickalott: I can't possibly see why you would want to use CVS [18:29] so press without CVS? [18:29] SCCS FTW! [18:30] lickalott: CVS is a rather elderly version control system - there are others that work very much better :P [18:30] like git or mercurial [18:30] SCCS? [18:31] RoyK: how do you know you need 1000 processes? Hadoop takes a massive data set, breaks it up into pieces and farms out the pieces to processors. The job and the data do not dictate the number of processors.. that just becomes the way you speed it up. [18:31] SpamapS: how would HADOOP know how to split those netcdf files? [18:32] RoyK: all jobs are made up of a map() and a reduce() function [18:33] RoyK: map() takes a chunk and returns the pieces [18:33] what controls where those jobs are run? [18:34] the map() tends to run on very few nodes, reduce() runs everywhere [18:35] and map/reduce is written in what? java? [18:35] I haven't written any map/reduce jobs, but I believe map() can break it up into big chunks which can be further mapped to smaller pieces [18:35] lickalott: SCCP, not SCCS, it's an even more eldrich thing [18:35] Hadoop is java yes. [18:36] Tho I've written mini-map-reduce in PHP w/ gearmand used to do the job control/scheduling [18:36] sccp is cisco's sip [18:37] SpamapS: would this work for scientific data where you might have a terabyte of input data and only want to use, say, 50GB of that? [18:38] patdk-wk: sorry, sccs, not sccp :P [18:39] patdk-wk: btw, IIRC SCCS is a separate protocol, not related to SIP [18:40] heh? sccp is what cisco uses instead of sip [18:41] cisco uses SIP as well [18:42] cisco normally defaults to sccp though [18:42] that doesn't mean sccp relates to sip [18:43] never said they are related [18:43] other than they are both voip protocols [18:43] in the same way that h.323 != sip [18:43] 19:36 < patdk-wk> sccp is cisco's sip [18:43] ya, sccp is ciscos voip protocol, vs using sip [18:44] h.323 is a long way away from sip [18:44] h.323 is technically asn.1 over IP [18:44] which is ugly.... === ejat- is now known as ejat [19:13] <^Mike\b> Is there a tool to know whether a reboot is needed to finish applying updates? On the desktop edition, it turns the power button red in the top-right corner, for example. [19:16] ^Mike\b: logging in with ssh tells you [19:16] RoyK: Error: "Mike\b:" is not a valid command. [19:16] * RoyK slaps uvirtbot [19:17] that's done with running landscape-sysinfo [19:17] <^Mike\b> ah, right [19:17] * ^Mike\b checks that those scripts are still enabled [19:18] <^Mike\b> thanks [20:05] What is the most recommended way to handle virtualization when using Orchestra? [20:06] mgw: cobbler can manage VMs with koan. [20:06] mgw: but if you want large scale virtualization.. OpenStack may be a better choice. [20:07] what do i do if a program wont quit when clicking ctrl+c [20:09] miceiken: Try CTRL-Z [20:09] SpamapS: ty, we're looking to manage a few dozen physical machines [20:09] and then run `jobs` to see what the job status is [20:09] miceiken: You can then do a `kill %n`, where n is the job number [20:09] SpamapS : cobbler is part of Orchestra, correct? [20:09] mgw: thats a lot ... I'd go with OpenStack. [20:10] mgw: cobbler is the provisioning portion of Orchestra, and definitely the biggest piece. [20:10] miceiken: If that doesn't kill it, you can try `kill -9 %n` [20:10] thats what i did :P [20:10] miceiken: And if THAT doesn't kill it, you might want to find out why it's not stopping. ;) [20:10] miceiken: `strace -p _processnumber_` is a start [20:15] [1]+ Stopped ./pipsqueek.pl ../etc/ [20:15] miceiken@celeste:~/pipsqueek/bin$ kill 1 [20:15] -bash: kill: (1) - Operation not permitted [20:15] kill %1 [20:16] %1 is special. It means job number, not process number [20:16] ah [20:16] miceiken: you won't be able to kill init (PID 1) and you probably don't want to :P [20:16] haha [20:16] Otherwise you're trying to kill the init process [20:16] and that's a very, very bad thing [20:17] Unless you relish having your machine crash spectacularly, in which case it's a great thing. [20:17] snap-l: init is generally unkillable [20:17] Highly recommended in that case. [20:17] so, why isnt this working then :( [20:17] kill -9 %1 [20:18] a process stopped by ctrl+z won't listen to signals [20:18] kill -9 is the 'gun against the head' type [20:19] RoyK: it will hear CONT, won't it ? [20:19] a normal 'kill' sends a SIGTERM, which is generally a good idea, but if the process has stopped listening, SIGKILL (-9) should work better [20:19] lifeless: probably, and perhaps SIGSEGV [20:20] RoyK: you can also try SIGHUP before KILL (or SEGV) [20:20] SIGHUP won't help much either [20:20] and SIGSEGV won't be of much help - the only difference is that it might produce a core dump (if ulimit allows that) [20:21] and by default, ubuntu is set to not coredump [20:21] it would trigger apport [20:53] hi everyone! [21:07] is there a way for me to configure apparmor (or other utility) such that : if no apparmor profile exists for any executable that it will generate one as soon as it is run the first time? [21:08] I guess what I'm looking for here is SysTrace (that venerable and dead project) behavior *somehow*. I'd really like a big catchers mit for trojans here [21:08] firewall rules are not enough -- need app level learn modes and stuff. [21:21] mistergibson: apparmor has a "logging" mode [21:22] mistergibson: apparmor is meant to be selective, so if you want a more blanket policy, its probably advisable to contain untrusted users in VMs or containers. [21:22] JanC: right, but you still have to save the complaints as a profile. ;) [21:22] SpamapS: I don't have vms on this box [21:23] is there a utility that will 'catch' anything that is run? [21:24] mistergibson: Generally the regular permissions system can lock things down for blanket purposes [21:28] New bug: #884428 in lxc (main) "new created ubuntu machines result in: "init: Unable to listen for private connections: Failed to bind socket "/com/ubuntu/upstart": Address already in use" [Undecided,New] https://launchpad.net/bugs/884428 [21:36] SpamapS: well, rather than just 'deny' something, I want to do something with it the first time it is run. [21:37] mistergibson: sounds very complicated. [21:38] SpamapS: potentially, but I'd like to be able at least to catch a list of all apps run and see if they have a profile ... if systrace can do it ... can't be that hard. [21:38] SpamapS: unfortunately, systrace source code is old and broken -- but it is *exactly* the kind of thing I need. [21:39] mistergibson: as JanC says, you can turn apparmor's complain mode on and use that to record it into a profile [21:42] SpamapS: so the complain mode will see a new app? [21:42] I know I can make a profile for any known path -- got that part, and run it in complain mode [21:43] what I'm fishing for is the critter lurking that I don't know the path of [21:48] thinking out loud here a bit : so, critterX runs somehow; unknown-thingy see it; observes it has no profile; auto-complain modes it. perhaps something like that. [21:49] more like profile autogen more than anything I suppose -- it would be a start === pdtpatrick__ is now known as pdtpatrick [23:01] hello [23:03] upgraded to 11.10, applied latest apt-get update|upgrades and now interface eth0 does not come up on boot. help? thanks. [23:05] matrillox: as a start, don't use a non-LTS for a server, and then, if you see errors, pastebin the logs when asking [23:08] hey, so had a entry in deny.hosts I needed to remove (local printer who freaked out) how do i rehash that file so the printer is no longer banned? [23:13] sudo network denyhosts restart [23:14] duly noted RoyK [23:15] anyway to downgrade back to a LTS version? [23:17] actually that didnt do it [23:18] matrillox: if by downgrade you mean reinstall, then yes, there is :) [23:19] why yes, i did mean reinstall. that worked out well. [23:35] matrillox, that's not to say 11.10 isn't supported, but it just came out, and bleeding edge is bleeding edge [23:35] we need logs, config files, command output [23:36] ah, 10-4.