[00:00] by adding a system with all the necessary info [00:00] roaksoax: hmm, bloated or d-i, shouldn't make a difference [00:00] Daviey: ok, so either way, we can only access the API once [00:00] roaksoax: I'm saying, that i'm not sure it can be achieved with one API call. [00:00] Daviey: why wouldn't it? [00:01] roaksoax: I think you have to create the base object, then manipulate it. [00:01] (i'm not certain on this) [00:01] Daviey: uhmmmm i haven't actually check that [00:01] roaksoax: we first create a new system, then modify it a number of times (set its name, profile, mac addrs, etc) [00:02] I'll have to look into that [00:02] followed by a call to save_system [00:02] adam_g: Is your understanding that you have to do it that way aswell? [00:03] right but the authentication is only done once, isn't it? [00:03] ahh noo [00:03] never mind [00:03] roaksoax: yes, but... [00:03] everytime we pass the token [00:04] you auth once, but get returned a token which you use forever more [00:04] yep, multiple calls with a token [00:05] Daviey: well what i just thought of is that maybe, that token should only authorize the modification of the newly added system [00:06] since I pressume that those tokens are unique per authentication [00:06] and used per authorization [00:06] roaksoax: As we use TCP, we could do ACL based on source IP address to match to a system profile? [00:06] Daviey: AFAICS, yeah.. thats the reqquired workflow for creating a new system with the parameters we want. im not sure how 'new_system, modify_system, modify_system, save_system' translates on the other end, in terms of authentication/authorziation [00:06] adam_g: annoyingly (as i've guessed you noticed), debugging server side is less than fun. [00:07] Daviey: or somehow match the passed token with the system id being passes based on the token used on creation time [00:08] I'm not sure that helps TBH. [00:08] Daviey: nor do I, just and idea [00:10] roaksoax: Keep 'em, ideas, rolling out. [00:16] roaksoax: is there anything equivilent to early/late_commands that get executed server-side before/after a machine is provisioned? [00:16] adam_g: what are you thinking? [00:19] Daviey: just daydreaming... generating per-machine client certificates, shipping those in the preseed, and then revoking after the node has phoned home, or a timeout expired [00:19] adam_g: at the very least, http://cobbler_host/cblr/svc/op/nopxe/system/$system_name could probably be made wider with a hook [00:19] ie, the late_command to disable pxe after install. [00:22] I wonder if storing a hidden data value, such as machine serial number and using that to validate against is viable. [00:22] ie, you'd probably only know that if you have access to the box, confirming you are the mac address owner. [00:22] still not clean IMO. [00:26] Daviey: authing based on mac address seems tough since cobblers never seen the machines mac until cobbler-enlist is run, no? [00:28] adam_g: Yeah, it would require more complexity to work around that. [00:29] save me some backscroll.. what problem are you guys looking to solve? [00:29] other than Daviey's insomnia? [00:29] they want to solve why the universe exists [00:29] :P [00:29] lol i kid [00:29] we did that last year.. 10.10.10 ;) [00:30] SpamapS: they wanted to solve why the OTHER universe exists :p [00:31] Resistance: it exists because Canonical are too tightarse to provide support for the vast majority of packages they steal from Debian [00:31] adam_g: also MACs can be spoofed trivially and are inherently discoverable [00:32] twb: Is that really a helpful comment? [00:32] adam_g: at least, unless you operate a prison like me, where you can dictate physical access :-) [00:33] SpamapS: Currently there is a shared username:password we need to give to everyone that asks for it.. not secure. [00:33] Daviey: maybe not, I didn't read much scrollback [00:33] adam_g: We could have a profile just for adding new systems, and then disown it from that user blocking further updates. [00:33] (post save_system) [00:36] Daviey: you're PXE-installing arbitrary h/w, and want to match the preseed (&c) to the h/w model? [00:38] twb: no, we have a minimal boot enviroment that will be booted when a new server is racked (provisioning server doesn't yet know about it), it posts back mac address and other data via an xmlrpc api [00:38] currently the api user has full admin access. [00:38] Eek [00:38] Daviey: so the u:p that is used to save systems.. is also capable of doing other damage? [00:38] As we ship the creds via a preseed on first boot, everyone can get the creds to the server [00:38] Daviey: I don't know if thats really such a huge concern. [00:39] Why can't that specific API call be anonymous? [00:39] dunno if you want people anonymously adding new systems [00:39] twb: well in part, it is a privildged operation as adding a system requires multiple API calls. [00:39] anonymously adding systems is still quite dangerous [00:39] That is, add a new system - then add data about the system [00:39] If it's purely anon, then anyone can edit any profile. [00:40] But surely the call is informative only -- it's not making changes to the system [00:40] well it is, because you need to do a >1 stage process. [00:40] "Hi my name is Fred I have mac xx:xx.. and I am a pizza box" [00:40] Add system Fred. [00:40] Fred mac address is xx:xx [00:40] Fred you are a pizza box [00:40] That is 3 API cals. [00:40] calls* [00:41] Sounds to me like the right thing is to change the API [00:41] or s/change/extend/ [00:41] Well... something we can do, is have a registeration user. [00:41] Add system Fred, owned by reg_user [00:41] Fred Mac address is xx:xx. [00:42] Fred, add more data [00:42] save() [00:42] Fred is now owned by !- reg_user [00:42] you lost me 20 fred's ago :) [00:42] Daviey: this is considered purely a time-saving operation for the admins right, admins still need to confirm these systems. [00:42] So the shared user/pass for reg_user cannot make further changes to that profile. [00:42] So the first operation creates fred and at the same time sets up bidirectional authentication based on some secret and/or keys to which the default preseed isn't privy? [00:43] SpamapS: well default yes, but it should be optional. [00:43] I'm just concerned that there will be an instance where systems are accidentally put into the provisioning VLAN and .. whoops.. reboot and it gets blanked. [00:44] twb: well the first API call is to auth with a plain user:password, which returns a token object which is used on all further API calls for that session [00:44] SpamapS: well yes, which is why it needs to default to manual. [00:44] Use case being plugging my laptop into the LAN and rebooting :) [00:44] That would make me somewhat upset. [00:45] Turn off PXE on your laptop them :P [00:45] you have pxe boot by default on your laptop? [00:45] patdk-lap: I used to [00:45] so manual in that all this will do is boot, register, reboot into the manual "boot from disk" menu.. ok [00:45] twb: never! :) [00:45] SpamapS: yeah [00:46] Right ok, so yeah, if there were an API call which would allow you to give away your ownership to another user, that would solve the issue would it not? [00:46] I think currently the best plan is disowning a system from a minimal prived shared cred user when it is enlisted. [00:46] essentially, do all the bits with fred, then change owner to "admin" and when save returns, you can no longer touch the machine [00:47] SpamapS: yeah, i'm not sure there is an xmlrpc query for it.. but it's certainly supported via the cobbler pythonic api - so might be easy to expose if it doesn't already [00:47] This would still allow malicious abuse of the cobbler system by a single node on the provisioning network though. [00:47] SpamapS: well it would allow someone to add a bazillion systems [00:48] Exactly [00:48] So perhaps another enhancement is to add user quotas. [00:48] I'm not what we can do about that [00:48] and have the reg user limited to 100 [00:48] That would be a fairly straightforward change I think. [00:48] well that wouldn't stop them disowning, and adding to the admin pool. [00:49] admin would also have 100 quota [00:49] or at least, a sane quota that they could raise themselves [00:49] SpamapS: we could ARP lookup the mac address as an isValid() validation check.. but perhaps that is overcomplicating. [00:50] err, scrub that [00:50] i'm tired. [00:50] can spoof that [00:50] yeah you're not supposed to be around at my EOD :) [00:50] this is usually when we make fun of you [00:50] SpamapS: I could make the same comment to you, most days :) [00:50] err, my SOD. [00:51] SpamapS: How is that cobbler precise upload looking? :) [00:51] Right, /me goes AWOL. [00:51] nn [00:51] Daviey: zul promised to look at rbasak's changes and mine as well [00:52] SpamapS: zul is the reason i don't have a pony. [00:53] He's also responsible for you losing your cookies via jackass is he not? ;) [00:56] SpamapS: no comment..:) [01:00] SpamapS: that was a classic [01:41] New bug: #890501 in cloud-init (main) "EC2 cloud-init overwrites 127.0.1.1 in /etc/hosts on every reboot" [Undecided,New] https://launchpad.net/bugs/890501 [01:56] I have a LAMP/SSH server I just installed today. I've been unable to login via the console. I have been able to login from ssh, when I try to change the user password, it gives the error "passwd: Authentication token manipulation error" after entering the first password. I don't even get to confirm it. Any idea what's going on? [01:58] flickerfly, is your user in the admin group? type groups [01:58] yes [01:59] it is actually the user the installer created, but I just checked to be sure [02:00] sudo passwd [02:04] so the password change worked, but I still can't log in at the console [02:04] I can still login with ssh with the new password [02:05] Nov 14 19:03:47 portal login[8651]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=username [02:06] Nov 14 19:03:50 portal login[8651]: FAILED LOGIN (1) on '/dev/tty1' FOR 'username', Authentication failure [02:13] flickerfly, sudo usermod -s /bin/bash [02:13] in case the shell is wrong [02:14] if the shell is OK, nm [02:14] shell is good [02:15] I just grep'd /etc/passwd to be sure [02:17] flickerfly: pastebin output of this: egrep -v '^[[:space:]]*(#|$)' /etc/pam.d/common-* /etc/nsswitch.conf [02:17] have you changed the hostname? [02:17] no hostname change [02:18] in sshd.conf, PermitRootLogon is Yes by default, but if you have changed that to No, root can't log in over shell [02:18] qman__: http://pastebin.com/uEjyPtJV [02:19] flickerfly: do the same for /etc/ssh/sshd_config as well [02:19] I'm not trying to login root, ssh is working fine [02:19] it's the console that fails [02:19] trying to setup a ssh tunnel and getting the error open failed: administratively prohibited: open failed [02:19] any idea why [02:20] flickerfly: the files you pasted look fine to me [02:20] flickerfly: "ssh works" -- works with password, or key, or both? [02:21] ssh works with password, I haven't transferred keys or anything like that yet. This is a very fresh install. [02:21] here is the sshd_config: http://pastebin.com/VfmCu7V7 [02:23] I can't see what would be wrong [02:23] If you create a new user (adduser) can he get in? [02:24] Maybe the account is locked -- check "getent shadow fred" FSVO fred -- but don't paste that because it contains the password [02:24] the user can get in via ssh so the account isn't locked [02:25] flickerfly, I am able to telnet localhost port 10162, that the ssh tunnel works on and get the telnet prompt of the service [02:26] two setup sshd_config looks on have PermitTunnel, AllowTCPForwarding [02:26] yaboo, administratively prohibited means one of two things that I know [02:26] either you're trying to bind to a port < 1024 on one end or the other, which is not allowed as a non-root user [02:26] but when I do a snmpwalk it fails and does the administratively prohibited [02:27] qman__, using port 10162 [02:27] or you're using a user account which is not allowed in sshd.conf to tunnel [02:27] one one end, what about the other? [02:27] qman__, how can I check this, something new to me [02:28] paste your ssh line used to create the tunnel [02:28] by default, all users are permitted to do this, but if you implemented any SFTP-only or other restrictions you probably disabled it [02:29] su - cactiuser -c "ssh -f -N -g -p 22 -L 10162:localhost:161 cactiuser@remotemachines" [02:30] there yo ugo [02:30] have setup snap to be tcp port, can telnet to the port [02:30] 10162:localhost:161 [02:30] yaboo: ow [02:30] can snmpwalk on the remote machine [02:30] port 161 is < 1024 [02:30] and requires root to bind to [02:30] but 161 is the remote machine [02:30] doesn't matter [02:30] but it works for another tunnel [02:30] qman__: not the way he's using it [02:30] qman__: he's binding to 10162 locally and connecting to 161 remotely [02:30] yes [02:31] twb ok how do I get around this [02:31] qman__: I do that all the time with e.g. ssh -fNL 8080:www:80 example.net [02:31] qman__: I'm not root there [02:31] ah, I misread it [02:32] you're right [02:32] qman__: easy mistake [02:32] I was thinking the opposite direction [02:32] qman__: the mnemonic is that you write "www:80" not "80:www" [02:32] because that's what I have to do to set up backuppc tunnels [02:32] yaboo: don't use -g or -p 22 unless you actually need them [02:33] twb ok [02:33] yaboo: also safer to use 127.0.0.1 because localhost might not resolve [02:33] ok -g and -p gone [02:34] and localhost changed to 127.0.0.1 [02:34] yaboo: is the ssh client running 4.8 or higher? [02:34] yaboo: if so try ssh -w 127.0.0.1:161 cactiuser@remotemachines, see if you can interact with it at all [02:35] Also if cactiuser has /bin/false as his login shell, su - will do the Wrong Thing; sudo -u will not. [02:35] two try the ssh as the cacti user? [02:36] It's "twb" [02:36] And I don't really care who you ssh as [02:36] twb get bad tun device [02:37] Hang on [02:37] Sorry I meant -W not -w [02:38] trying now [02:38] another piece to this puzzle, if I create a new user and try to login to the console as this user, it fails the same way. [02:39] flickerfly, I'm going to guess your issue is a hardware one [02:39] I'm dealing with a virtual machine here [02:39] if it works over SSH, but not locally, and it's failing authentication, it's quite likely the password is not being entered as you think [02:40] flickerfly, xen? [02:40] vmware [02:41] qman__: ah, like his caps key is down or some shit [02:41] qman__: or he is typing dvorak but the VM is reading it as qwerty [02:41] yeah, or broken keys, but in the VM world, it's more likely a failure to map keys correctly by the VM software [02:41] vmware needs to die [02:42] twb: I have to type the username so those problems present themselves [02:42] Yeah, not real thrilled with vmware, but that's not my choice [02:42] flickerfly: I'm out of ideas [02:42] ok [02:43] maybe I'll just have some windows qwerty user try it tomorrow then [02:43] perhaps there something amiss in the whole RDP -> vSphere stuff [02:44] two its just hangs at the moment after I type the password [02:44] I've been cursing RDP all day for it's breaking my dvorak keyboard :-) [02:45] thanks for the ideas folks [02:45] flickerfly: rdesktop takes a -k option [02:46] Yeah, but I'm on a mac because of the VPN software [02:46] flickerfly: cisco? [02:46] no Watchguard [02:47] It is OpenVPN based, but I haven't taken the time to derive the config and all. [02:47] Ugh, not sure what they- ah, OK [02:47] That part doesn't pay :-) [02:47] It should be trivial and then you wouldn't have to use OS X [02:48] twb I think the previous command you gave me failed I typed in the password on the remote machine and no command prompt so far [02:48] -W connects stdio to that port [02:48] like netcat [02:48] Yeah, once the deadline is sunk, I'll probably give it a look, but I think there is a hitch because it downloads a new config each time it connects and this changes frequently. I wonder if they are expiring certs fast or something [02:48] flickerfly: more likely just poor design [02:48] ok two, so I make a connection [02:48] flickerfly: analyse the configs they are probably mungable [02:49] twb: perhaps you are right [02:52] twb so I guess the point of the above command proves. [03:01] thanks for the help guess you guys are out of ideas also [03:16] two worked out the issue [03:16] GatewayPorts yes needs to be set [03:22] yaboo: ok that's odd [03:22] yaboo: ah, you only need that for -g [03:22] yaboo: you should not be using -g unless you have a firewall on the ssh client side [03:22] two the other side has a firewall [03:23] That doesn't help [03:24] sorry btw yes have firewalls on both sides so need the -g [03:24] If you use -g, then everyone on your local network can access that port [03:24] two I am the only one on the machine who has access to the port [03:24] not machine, NETWORK [03:25] twb ok so leave the -g out then [03:25] For example suppose you do "twb@example.net$ ssh -fNL 8080:secret.google.com:80 ssh google.com" [03:25] That exposes secret.google.com:80 to all users on example.net [03:25] If you add -g, it exposes that port to all users on *.example.net [03:26] two makes sense [03:26] so I avoid the minus g [03:26] Yes, unless of course you need to, in which case do it but lock it down [03:26] twb true === jason is now known as Guest84928 [06:12] Grah [06:12] Stupid cut-down ubuntu busybox [06:13] no less, no vi, more doesn't actually wait after each page. [06:13] I'm stuck using sed -n 1,25p scripts/casper to read the bloody script [06:13] And the ramdisk is twice the size of the debian one anyway because of stupid useless plymouth [06:24] And flipping casper seems to work with a partitioned, FAT32 USB key, but not an unpartitioned extlinux one [06:24] Er, unpartitioned ext2 one [06:24] >rage< [07:27] In other news, it looks like SOEs built with latest lucid-updates & -security no longer detect PS/2 mice [07:28] *my* SOEs, that is [07:28] pub time [08:32] hi there [08:32] is this the right place to get help with preseed? i can't get it to honor some directive (e.g. do not ask for keyboard configuration) [08:36] <_ruben> KaZeR_W: #ubuntu-installer is probably a slightly more apropriate place [08:37] <_ruben> KaZeR_W: but keyboard config can't preseeded, it can be kickstarted tho [08:37] <_ruben> i have it specified on my tftp boot cmdline [08:38] _ruben, i have is specified too, but it still asks for it. currently i have : "append initrd=ubuntu-server/initrd.gz priority=critical locale=fr_FR url=http://10.151.2.201:4568/ks/00:50:56:ba:00:17.ks auto=true locale=fr_FR console-setup/layoutcode=fr console-setup/ask_detect=false netcfg/choose_interface=eth0 debconf/priority=critical --" [08:39] i'll ask in #ubuntu-installer too, thanks [08:44] <_ruben> let's what i have specified [09:05] _ruben, ? did you mean let's see ? [09:06] <_ruben> KaZeR_W: yes, and something came up and i forgot i was gonna take a look :) [09:06] <_ruben> append ramdisk_size=14984 debian-installer/locale=en_US console-setup/layoutcode=us url=http://.... vga=normal initrd=lucid-i386/initrd.gz -- [09:07] <_ruben> debian-installer/locale versus locale probably will do the trick [09:08] thanks _ruben trying right now [09:12] hi all [09:18] _ruben, still the same. my append line now read as "append initrd=ubuntu-server/initrd.gz priority=critical debian-installer/locale=fr_FR auto=true console-setup/layoutcode=fr console-setup/ask_detect=false netcfg/choose_interface=eth0 debconf/priority=critical --" [09:18] do i need to specify a url to get command line arguments to be taken in account? [09:19] <_ruben> only reason i can think of if it still asks for keyboard stuff, is that either fr_FR and/or fr aren't valid values [09:21] the french keyboard is preselected in the keyboard selection menu, but it still asks [09:22] <_ruben> i dont specify ask_detect, might be interfering (perhaps it's reverse boolean for instance) [09:23] interesting : using append initrd=ubuntu-server/initrd.gz priority=critical debian-installer/locale=en_US auto=true console-setup/layoutcode=us console-setup/ask_detect=false netcfg/choose_interface=eth0 debconf/priority=critical it doens't ask for the keyboard [09:24] <_ruben> which gets us back to my idea of fr_FR and/or fr being wrong :) [09:24] indeed :) [09:25] i'll try to pinpoint which one it is exactly [09:26] zul: hey [09:26] lynxman: howdy [09:27] <_ruben> KaZeR_W: select it by hand and use the debconf tools to figure it out :) [09:27] _ruben, console-setup/layoutcode=fr works so i guess it's debian-installer/locale [09:29] <_ruben> KaZeR_W: simple solution: don't use localized stuff ;-) [09:30] _ruben, yes :) [09:31] Hello I am using amazon cloud on ec2...I am try to enable pawword based login in ssh [09:31] <_ruben> why reduce security?? [09:32] so I set /etc/ssh/sshd_config -> PasswordAuthentication yes [09:32] and sudo /etc/init.d/ssh restart [09:32] but it still not working [09:33] I get Permission denied (publickey). [09:33] _ruben: bcos private key auth is pain in the ass [09:33] PasswordAuthentication only applies to SSH protocol 1 [09:33] i can connect from any where [09:34] The similar method in protocol 2 is covered by KeyboardInteractiveAuthentication [09:35] so what should I do to allow password authetication [09:36] i cant find any setting like KeyboardInteractiveAuthentication in sshd_config [09:39] _ruben, i'm giving up on trying to build the preseed myself. i'll try with the debconf tool once installed. thanks for your help [09:39] please let know how to gid rid of forced private key authetication torture [09:39] I need to login via password in ssh [09:41] BuddyOfBuddy, which user are you trying to login as ? [09:41] i create a new user [09:41] I am trying login with it [09:42] even if try with ubuntu it give public ket denied error [09:43] in fact i agree with ruben. using a private key is much better. what's wrong with it? [09:46] New bug: #541747 in asterisk "undefined modules in loaded-by-default modules" [Undecided,New] https://launchpad.net/bugs/541747 [09:46] I need to create lots of users in server ....I dont want waste my time create provate keys for every one [09:47] plus on natilus u just mount ssh using user name and password [09:47] private key is torture for me [09:48] you're a poet and you didn't know it [09:48] for user in john jane julie; do ssh-keygen -f ~$user/.ssh/id_rsa -t rsa; done [09:49] Although really the users ought to be generating their own keys and never sharing the private half with the server [09:49] <_ruben> exactly [09:49] yeah in perfect world [09:50] but how to enable password based authetication ....is there a quick way [09:50] i want my freedom [09:50] :-) [09:51] Enable KeyboardInteractiveAuthentication if not already enabled, configure user accounts with passwords and valid shells, that's it [09:54] in etc/ssh/sshd_config ? or some ther file [09:55] so set -> KeyboardInteractiveAuthentication yes in -> /etc/ssh/sshd_config ?? [10:01] ok resolved [10:01] thanks [10:23] how can one generate a full preseed file for installing a clone of a server ? debconf-get-selections seems to report way too much informations [10:24] and in fact some other informations are missing === smb` is now known as smb [10:27] ok "debconf-get-selections --installer" seems to be what i need === koolhead11 is now known as koolhead17 [11:31] New bug: #890649 in samba (main) "package samba 2:3.5.8~dfsg-1ubuntu2.3 failed to install/upgrade: ErrorMessage: package samba is not ready for configuration cannot configure (current status `half-installed')" [Undecided,New] https://launchpad.net/bugs/890649 [11:44] Hello, Can I download files from server to a specific folder? like var/www [11:44] using wget [11:45] <_ruben> cd var/www && wget .... [11:45] _ruben: Thank you. [11:57] _ruben: Is this correct? var/www && wget http://wordpress.org/latest.zip [12:01] No [12:02] you need to Change Directory by using cd first (cd stands for Change Directory) [12:02] issue "cd /var/www" [12:02] then wget latest of wordpress === jetole is now known as joebob [12:19] ersi: Thank you. [12:20] <_ruben> then again .. downloading the latest wordpress zipfile into /var/www doesn't make much sense in the first place, but that's a different story ;) [12:23] _ruben: I have a lot of files that I want to donwload to the dir var/www that's why I wanted to know how. :) === joebob is now known as jetole [12:26] Syria: note that '/' in front of the path is like "C:" sort of in Windows, ie saying just var/www means one thing while /var/www means another. One is a absolute path, one is relative. If you're in the dir /home/syria/ and make var/www and downloads files there.. I'll be in /home/syria/var/www and not in /var/www :) [12:27] ersi: This is a new information to me thanks again. [12:28] You're very welcome :) [12:30] Syria, did you check ubuntu server guide [12:31] koolhead17: Actually no. [12:31] Syria, you should TBH :D [12:32] koolhead17: I will do that very soon, Thanks. [12:32] Syria, https://help.ubuntu.com/10.10/serverguide/C/ [12:32] :) [12:33] * koolhead17 wonders why server channel topic still points to 10.4 guide /o.0\ [12:33] It's very good, in my opinion. It covers a lot [12:33] ersi, indeed :) [12:33] koolhead17: probably for the same reason you linked the 10.10 one? :D [12:33] ersi, very true [12:34] The changes aren't *that* disturbingly great, but there is changes [12:34] Syria: For the absolutely latest Ubuntu server guide, go to here instead: https://help.ubuntu.com/11.10/serverguide/C/ (Only thing that differs is the number 10.10 to 11.10) [12:35] EricJ, typo i meant 11.10 :D [12:35] * ersi [12:36] ersi, i donno if its policy to keep latest LTS on topic :D [12:38] might be, would not be so strange [12:39] The latest LTS is 10.04 right? [12:40] yes it is [13:12] New bug: #890362 in glance (main) "Should glance user's shell be /bin/false?" [Undecided,New] https://launchpad.net/bugs/890362 [13:13] * Daviey wonders if that is a question or a bug === grzyweasel_ is now known as grzyweasel [13:26] I have a broken disk in my server, I get alot of output to my console every time it tries to access the disk, how can I prevent the errors temporarily? I need to reconfigure mdadm, fail the disk and so on, but the screen is so full of errors I cant really work. [13:27] probably a pretty basic thing, but I can't really formulate it to apply my google-fu [13:31] azzid: 'reset' or 'clear' :) [13:31] or doesn't that work over yer console? [13:36] ersi: clear will clear what is currently on the screen, but the error keeps appearing like every other second so I need to redirect it somehow [13:37] azzid: How about hopping over to another console? [13:37] it follows me if I switch tty =/ [13:38] ssh is not affected, but the network driver is wrong so thoose sessions die after ~20 seconds [13:44] * ersi hugs his serial console [13:45] * koolhead17 kicks himself [13:45] I think you're unfortunally in shit creek without a paddle, my good sir :| [13:45] How about booting from another source, like a thumbdrive? [13:45] (I know this'll probably be a PITA) [13:46] ersi: try tty --silent or --quiet [13:49] zul, what kind of assinine package do you have to write to fail update, then refuse --purge saying 'reinstall first'? (yes, i'm blaming YOU for rabbitmq-server :) [13:49] hallyn: gah? [13:50] ersi: seems im not all out of luck, while asking the question mdadm seems to have stopped bothering the disk, so now the console is usable again! =) [13:51] filo1234: will try tty --silent if the screen starts fill up with crap again [13:52] hggdh, jamespage Hm, I fear we still will be asked about news on bug 790712. Cannot say I got anything. Is this still happening (might be worked around by more ram and none of us really notices) [13:52] Launchpad bug 790712 in linux "20110531 i386 server ISO: order 5 allocation failure during install" [High,Confirmed] https://launchpad.net/bugs/790712 [13:56] azzid: Huzzah! [14:02] smb: we did indeed work around by raising the default memory size of the VMs to 764 (from 512) [14:02] smb: I have been trying to reproduce it without success [14:04] hggdh, Hm, so what do you think. Should we close the bug for now until we trigger it again? [14:11] New bug: #890691 in rabbitmq-server (main) "rabbitmq-server won't upgrade or purge" [Undecided,New] https://launchpad.net/bugs/890691 [14:13] smb: let me try one more time [14:14] hggdh, Sure. Or alternatively reset the memory value back to 512 for the automated tests and wait. At least that we can then use as the status update for our action? :) [14:15] smb: yes. I will update the bug [14:17] kirkland: sorry I missed your message about byobu [14:17] kirkland: also, I am sure this will be useful for something down the road: https://github.com/holman/spark [14:17] jcastro: heh, no worries [14:18] jcastro: neat; jhunt has a branch with some of this in byobu [14:18] oh cool [14:18] jcastro: i need to revisit it now that we're on tmux [14:18] jcastro: it depends on utf8 [14:19] jcastro: which is pretty broken in screen [14:19] jcastro: but works like a champ with tmux [14:19] woo [14:26] kirkland: ping [14:26] kirkland: have you noticed the new behavior of add-apt-repository? [14:26] mtaylor: The warning message? [14:26] yes [14:27] Daviey: sort of makes automation scripts, well, unhappy [14:27] mtaylor: automation, who uses THAT? [14:27] Daviey: oh. silly me. I forgot. [14:27] mtaylor: does -y, not automated it? [14:27] Daviey: shouldn't users who need that confirmation in oneiric be using the Ubuntu Software Center anyway? [14:28] Daviey: it does - unless I'm writing automation scripts which also need to work on pre-oneiric [14:28] mtaylor: it's not silently ignored pre-oneiric? [14:28] Daviey: OR - following any of the bazillion cut-and-paste instructions on installing software on the web [14:28] Daviey: nope [14:28] *sigh* [14:28] yup. [14:28] mtaylor: can you raise a bug? [14:28] turns out ppa's are REALLY popular :) [14:28] I was writing one right, but then thought I should ping somneone first [14:29] mtaylor: suggestions for a fix also welcome. :) .. Perhaps respecting a env variable? [14:30] Daviey: honestly, I would revert the confirmation [14:31] Daviey: it has no real use in server environments [14:31] Daviey: and in desktop environments, the recommended end-user interface is the software center [14:31] although if it's got to stay - respecting an env var, or perhaps a config file which could be created via d-i preseed questions [14:32] Daviey: and then we can just add that preseed option to the various standard preseed files that we use [14:32] https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/890708 [14:32] Launchpad bug 890708 in software-properties "Confirmation question is a UI regression breaking scripts" [Undecided,New] [14:36] mtaylor: I'm not entirely sure why it was added. [14:39] Daviey: I don't either - although it feels like one of those times that desktop use cases intruded into the world of things that are highly used in server land [14:40] mtaylor: well -y was added for this use case, but i understand portability. [14:41] mtaylor: Daviey: haven't noticed, that's bad :-( [14:41] kirkland: yeah, right? [14:42] mtaylor: totally a big pile of suck [14:42] kirkland: should I write an inflamatory blog post? :) [14:43] mtaylor: scathing [14:43] mtaylor: :-P [14:43] mtaylor: sure thing, if you want it added to the bottom of the pile :) [14:44] Daviey: the bottom of the pile of inflamatory blog posts I write? - I'm sure that pile is way to large for anything to get noticed on the bottom of it ;) [14:44] mtaylor: ping, https://jenkins.openstack.org/job/nova-ppa/1342/console why is my email address used? [14:44] mtaylor: or, better yet, just ask mvo :-) [14:45] mtaylor: i bet mvo fixes it within minutes :-) [14:45] zul: because? [14:45] mtaylor: can you jump into #ubuntu-devel? [14:45] zul: looking [14:45] mtaylor: let's poke mvo about it [14:45] kirkland: joining now [14:45] mtaylor: i just find it odd :) [14:46] mtaylor: i just pinged him there [14:46] oh for shit's sake. my irc client has quit joining channels again [14:46] what a pile of ass [14:47] zul: I'm guessing because you were the last person to commit to the packaging branch? or that you were the person who edited the changelog last? [14:47] zul: I'd have to look a little further [14:47] mtaylor: ah i was just curious no biggy [14:47] mtaylor: you coming? mvo is here now [14:49] kirkland: I'm unable to join the channel because my irc client got borked (and I have a few tabs that I need data from) [14:49] mtaylor: heh [14:49] mtaylor: okay, Daviey and i are talking to mvo now [14:49] kirkland: any chance I could be a diva and ask him to come in here for a sec? [14:49] kirkland: or - you can probably handle it [14:49] kirkland: did you see my preseed-related suggestion to Daviey above? [14:50] mtaylor: we can handle it, and the irc nazis might get on us for moving a conversation that belongs in ubuntu-devel away from it [14:52] mtaylor: kirkland: hm, so it does check is sys.stdin.isatty() - in what env do the scripts run? [15:18] Hey folks, I am also in the Kubuntu channel, having some issues with the most recent kernel available (I think), Networking is really flaky. It was suggested I come in here and make a request to see if there is a newer kernel package that is pre-release, and if I can have it. [15:23] hello! If i want to change the configuration file used by vsftpd, do I need to edit the path directly in the upstart script? [15:30] smb: I really cannot repeat it on precise's kernel (bug 790712), and jibel confirms we are not seeing it. How do you want to proceed with it? [15:31] Launchpad bug 790712 in linux "20110531 i386 server ISO: order 5 allocation failure during install" [High,Confirmed] https://launchpad.net/bugs/790712 [15:31] smb: close fixed by unknown on precise? [15:33] hggdh, I would tend to close it, either invalid or fix released with a comment. And I am not too hot for trying to find a solution for oneiric, given that for the testing case it is enough to increase memory a bit. [15:33] smb: will close it this way, then [15:34] hggdh, Thanks- This sounds like one of these things that would take much more time to find any fix for than the actual use would be [15:34] smb: I agree [15:38] smb: precice's task closed fix released, oneiric and natty wontfix [15:38] smb, Ok, sounds good to me. Thanks [16:18] stgraber, lp:~serge-hallyn/ubuntu/precise/lxc/lxc-default-config2 is now rebased on top of precise's lxc, tests fine for me. (speaking of tests, i guess we should have a little testsuite) [16:22] hallyn: ouch, your branch contains quite a lot of changes in .pc, basically destroying all of them and re-creating all of them :) [16:22] no, it can't. I re-did that without killing .pc [16:22] maybe i failed on push [16:23] hallyn: hmm, "Leave as "false" if you'll use virbr0 or another existing" but USE_LXC_BRIDGE="true" :) [16:23] but anyway i was just going to dput, not merge the bzr source, so hopefully the archive will dtrt [16:24] stgraber, oops, i did change that after commenting :) [16:24] do you think default on is ok? [16:26] comment fix pushed [16:26] I think it's going to make it easier for quite a lot of users yes. Ideally this should be a mandatory debconf question once the default file is generated using a debconf template [16:27] hallyn: should you use dnsmasq's pid file to kill dnsmasq instead of trying to find it in the process list? [16:27] *shouldn't [16:28] Hm, I suppose. (I don't trust pidfiles in general, but long as I'm creating it...) [16:28] hallyn: also, in 0015-ubuntu-templ-use-updates.patch, policy is to always use security.ubuntu.com for -security IIRC [16:29] ahs3 meet hallyn, hallyn meet ahs3 :) [16:29] and last comment (I'm done reading the diff :)), shouldn't 'cp debian/lxc.conf debian/lxc/etc/lxc/lxc.conf' be moved to lxc.install? [16:30] Daviey, i've asked ahs3 :) [16:30] Daviey: 2.2.2 is tagged so ill just do that [16:30] stgraber, maybe; I probably was thinking it was going to be a rename, that debian/lxc.conf wouldn't bre acceptable [16:32] other than these few notes, changes look good [16:32] stgraber, I don't like that policy (re security) but ok :) [16:33] feh, that means i need another fix to the patch I sent upstream [16:34] hallyn: I think the idea was that archive.u.c can be mirrored/overriden/... and so isn't necessarily up to date, security.ubuntu.com should always directly hit the main security mirrors and so should always be up to date [16:35] security updates also get copied to archive.u.c (in the -updates pocket) so once your mirror catches up, you can grab it from there without touching security.u.c [16:35] ok, still have to fix the dnsmasq one... [16:36] then, with thes # of changes, i'd better re-test everything :) [16:36] thanks for the feedback [16:36] np [16:40] hallyn: lemme guess, netcf :)? today's your day, dude [16:41] ahs3, yay! [16:44] L) [16:44] :) [17:01] doh! [17:01] I forgot 1600 UTC is now 08:00 for me. [17:01] we tried to tell you last week :) [17:01] who did? [17:01] but SOMEONE was on holiday [17:01] Tuesday I was most certainly not [17:01] hm [17:02] I just missed it because I was *asleep* [17:02] well, i'm getting old [17:02] i need a nap, and get off my lawn while you're at it [17:02] SpamapS: you now have a tonne of bugs :P [17:02] Daviey: as opposed to before, when I only had half a ton of bugs [17:02] SpamapS: heh. [17:02] I didn't see minutes from last week's meeting [17:03] SpamapS: bug 887410, might want your love. [17:03] Launchpad bug 887410 in apache2 "plymouth ask-for-passphrase" [Medium,New] https://launchpad.net/bugs/887410 [17:03] I noticed that mathiaz's old "generate the minutes" script doesn't work anymore with the new format. [17:03] SpamapS: the transsition bugs that were opened last cycle, are you looking to resolve them this cycle [17:04] Daviey: which transition? [17:04] SpamapS: the runlevel ones [17:05] SpamapS: wow, more than i thought [17:05] https://bugs.launchpad.net/ubuntu/+bugs?field.tag=runlevel1 - how importiant are these? [17:06] Daviey: yes my plan is to take care of them all this cycle if possible [17:06] Daviey: 2 or 3 have already been fixed [17:06] They're all quite simple really [17:08] SpamapS: Do you want to document how to fix, might be good bitesize bugs for new contributors? [17:15] Daviey: First I want to get the automated boot testing fleshed out [17:15] Daviey: that way if these seemingly bitesized fixes break something we should find out [17:19] hi all [17:19] SpamapS: great! [17:21] am struggling a bit configuring ocsinventoy with gpli, i remember back in the day i successfully configured it to periodically scan ip ranges for open ports etc. for machines that do not have the agent running, anyone can give me a hand in this? or, since we are just starting the implementation, alternatives for automatcially inventorizing and managing are still welocome :) [17:32] jeiworth: what specific problem are you having? [17:37] pmatulis: ok, i have installed ocsinventory and gpli on a 11.10 server using packet manager, the interconnection between the two work fine, also any machine i install the agent on appears shortly after in the ocsinventroy. so far so good, but what i also want is that the agents (or the server) scan the local net to see what ip's have open ports and which ones [17:38] pmatulis: this happens for ip and snmp scans [17:38] pmatulis: or better, they don't happen at all ;) [17:39] jeiworth: well it installs on ubuntu fine. it sounds like an issue at the app level [17:39] stgraber, (sigh :) new version pushed to bzr and tested [17:40] pmatulis: yes, it must be somewhere in the config [17:41] jeiworth: if anyone in this channel is familiar with this s/w then they will speak up but i feel you will get better help in another forum [17:41] pmatulis: thanks, yeah, i am checking google and their own chat but they don't seem too responsive there [17:59] Daviey: still around? [18:00] kirkland: ping [18:00] roaksoax: yo! [18:00] kirkland: yo! just upgrade tmux in lucid from your byobu ppa [18:00] kirkland: and got this: [18:00] Setting up tmux (1.5-1~lucid1) ... [18:00] /var/lib/dpkg/info/tmux.postinst: 7: dpkg-maintscript-helper: not found [18:00] roaksoax: i think that can be ignored [18:01] roaksoax: this is a backport of tmux [18:01] roaksoax: let me see what that's doing [18:01] kirkland: yeah it doesn't really fail or anything but just in case :) [18:02] roaksoax: yeah, it's benign [18:02] if dpkg-maintscript-helper supports rm_conffile; then [18:02] dpkg-maintscript-helper rm_conffile /etc/init.d/tmux-cleanup 1.4-6 -- "$@" [18:02] fi [18:03] kirkland: alrighty ;) [18:03] roaksoax: i can fix that, if you think that might scare people? [18:04] kirkland: well... it warned me but maybe regular users wont even notice it as it didn;t fail to install or anything [18:05] zul: yup [18:05] roaksoax: okay, thanks [18:05] roaksoax: if there's any more complaints about it, i'll just add a command -v test to it [18:05] Daviey: should we move the css for cobbler to orchestra? [18:05] zul: +1 [18:05] zul: i think that "skin" belongs in orchestra [18:06] zul: note that the Canonical Design Team was supposed to help us with that [18:07] zul: Yeah, i'm not a fan of patching the upstream theme. We shouldn't have done that [18:07] Daviey: k ill drop that one [18:08] roaksoax: fyi the arm doesnt apply anymore :( [18:10] stgraber, ok i'm going to try pushing (as a test to see if i have the upload perms now) [18:12] hallyn: if you don't, just poke me and I'll fix them :) [18:18] Hey gang... I have a server hardware question for you... it's been a while since I was on the Hardware OEM side of things, so I'm a bit out of touch with the latest and greatest... Are there servers being sold with converged devices (NIC/ISCSI) and are there servers being sold with physical 10GbE adapters [18:18] I'm curious about what's being shipped on the motherboard, not via PCIe options. [18:19] Also, anyone know of servers being sold with onboard FC? [18:20] FWIW, I'm working on beefing up hardware testing on servers running Ubuntu Server for the 12.04 cycle and trying to sort out what we currently test and what areas we may be missing. [18:20] can anyone recommend a good stress test library? [18:22] kyconquers: not sure about a library, but there's a tool in universe called 'stress' that seems to do a good job of stress testing systems. [18:23] Phoronix also has some usual server benchmark tests that hit things like PostgreSQL, MySQL, Apache, etc. [18:23] sysbench does a good job [18:25] bladernr, I don't know of any motherboards with onboard fiber at all [18:25] I'm having a problem with upgrading a postgres cluster from 8,4 to 9.1 [18:25] Getting an error that pg_upgradecluster cannot read the encoding [18:26] The encoding for all the databases is UTF-8 so it should be the same for all the databases [18:26] We only have the standard main cluster [18:27] patdk-wk: I don't either, and I was stretching a bit with that one, but I do know that there were boards coming that had converged network devices and onboard 10GbE at least... just don't know how common those are right now [18:27] ^^ outside of blades that use different infrastructure [18:27] bladernr: Error: "^" is not a valid command. [18:27] sheesh... [18:28] Where can I find logs of crontab on ubuntu 11.10? And/or -- how do I enable logging? [18:31] bladernr, there have been servers with onboard nic/iscsi for atleast 6 years, and the 10gig onboard for 3 years [18:31] in fact, all my servers have onboard nic/iscsi combo [18:31] and the ones I bought in the last year are all 10gig onboard [18:34] Dulcin: should be in /var/log/syslog [18:43] robbiew, hi, do you know why https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-kvm doe snot show up in https://blueprints.launchpad.net/~ubuntu-server/+specs?role=assignee ? [18:43] SpamapS: is it possible to create a seperate log for crontab only? [18:44] edit /etc/rsyslog.conf [18:44] Dulcin: 'grep -r cron /etc/rsyslog*' [18:44] actually add a file to /etc/rsyslog.d [18:44] #cron.* /var/log/cron.log [18:44] SpamapS: ;) [18:44] oh heh, changed on me :) [18:47] hallyn: checking [18:48] hallyn: needed some switches flipped ;) [18:48] done [18:48] robbiew, great, thanks [19:34] yay down to 20 cobbler patches [19:38] o.0 [19:55] Hello fellows, does ubuntu server use Network-Manager ? [19:56] by default? [19:56] no [19:57] smoser, thanks [20:05] njin: how could it? n-m is a graphical tool [20:06] pmatulis, false. [20:08] cwillu_at_work: n-m won't bring in the graphical stuff? [20:08] pmatulis, network-manager just recommends network-manager-{gnome,kde,whatever} [20:09] I use it headless for appliances [20:09] cwillu_at_work: ah ok, so i can install network-manager in a cli environment and that's all that will get installed? [20:10] yep; (noting that apt-get installs recommends by default, but that can be disabled temporarily) [20:10] cwillu_at_work: heh, ok [20:52] hi all [20:56] opa [20:56] algum brasileiro? [21:00] !br | vasosanitario [21:00] vasosanitario: Por favor, use #ubuntu-br para ajuda em português. Para entrar no canal por favor faça "/join #ubuntu-br" sem as aspas. Para a comunidade local portuguêsa, use #ubuntu-pt. Obrigado. [21:09] now, to have a nick of 'toilet bow' is indeed something [21:18] is there an application or test to tell how long an email server will take per email? [21:20] kyconquers: no but you can bench mark it yourself [21:21] ikonia, how? [21:22] kyconquers: write a shell script to inject 100 identical emails, then view the logs on the mail server and see how long it takes to process and how long it takes for hte queue to go down [21:22] do this on a local lan so that you know your public internet connection is not a problem [21:23] then you know the servers capabilities (roughly - you can go as in depth as you want, ram queues, io times etc) [21:23] thank you ikonia [21:25] I notice this error in my cron log: (CRON) DEATH (can't open or create /var/run/crond.pid: Permission denied) [21:25] what is it trying to do and should I change file permissions on that file? [21:32] [ubuntu/precise] cobbler 2.2.2-0ubuntu1 (Accepted) [21:32] eod [21:34] zul: yay!! [21:50] hi. i installed xfce one one of ubuntu servers i have because i need some minimal graphical interface on it. due to a faulty GPU on that computer i could get to a feasible xfce by going into recovery mode and after selecting "Resume". That seems to me is the best video mode to use. How and where could i make it as default? [22:08] jcastro: +1 :-) [22:10] zul: nice one [22:23] when installing a raid configuration (new/blank install) shouldn't I have the RAID build on separate drives from the OS? [22:23] depends what your attempting to do [22:24] basically I have 7 1.5TB drives and 1 640GB drive. i had planned on installing the OS on the 640 and build the RAID out of the remaining 1.5TB drives [22:24] if you only have two disks, oviously the raid will be on the same drives [22:24] if you have more disks, you still might want the os drives to be raided, for their own protection [22:24] that is fine [22:24] but when I try to partition during the install it is freezing at 50% [22:24] if your os drive dies, you jsut have to rebuild [22:25] i can tell the RAID is being built because it takes about 24 hours for the lights to stop flashing,but the install still hangs [22:25] dunno if I would bother attempting to do that at install time [22:25] I would just install [22:25] then build the raid later [22:25] hm [22:25] I only config stuff at install if it's needed for the os [22:25] but that is just me [22:25] is there a good front end for mdadm? [22:25] mdadm :) [22:26] haha [22:26] you want gui? your in the wrong channel [22:26] im coming from openfiler, which was relatively easy [22:27] so then basically just pick the 640gb, tell it to automatically partition that drive then deal with the rest of em once the server is up? [22:27] that is how I do it [22:27] thanks [22:36] has someone configured "integrated" openldap with kerberos? i.e. kerberos stores it's database in ldap, and ldap uses kerberos for authentication? Is it right that I have to still have to store password for users used by kerberos to access ldap in ldap itself? [23:08] hi guys, I deployed this: http://majic.rs/book/initd-scripts/running-irssi-on-boot - when I reboot however, no screen/irssi session [23:08] works fine invoked like, /etc/init.d/irssid start [23:08] and I ran update-rc.d defaults irssid [23:08] How do I go about debugging what is failing here? :) [23:15] willwh, possibly a race. Possibly the network isn't fully up yet. I'd break it down into two parts: see if screen is coming up. If so, then see why irssi is failing. [23:15] use logs 2> output and if necessary, strace and friends. [23:15] alternatively just put a sleep in the script and see if that is a shortcut work around. [23:15] medberry: screen doesn't come up [23:16] willwh, doesn't screen need a tty? [23:17] Is there an automation-friendly way to enable the "universe" packages in /etc/apt/sources.list? [23:24] great…reboot after install and right after verifying DMI pool data - "error:fd0 read error. error: no such disk." [23:27] what software is good to automatically keep up a ssh tunnel [23:29] hmm, are NFSv4 ACLs supported in Ubuntu? [23:31] yaboo: I just use 'keep-one-running' from run-one [23:32] now im at the grub rescue prompt [23:32] yaboo: its in 11.10 and later [23:32] SpamapS, I am using 10.04 [23:34] yaboo: then something like 'while true ; do ssh -xzyz foo ; sleep 1 ; done [23:36] SpamapS, cool [23:37] SpamapS: there's an ssh config command which will send the keepalives [23:38] TCPKeepAlive yes [23:38] ServerAliveInterval 300 [23:38] in your .ssh/config [23:38] mtaylor, .ssh/config not /etc/ssh/sshd_config? [23:38] yaboo: it's a client config [23:38] not a server one [23:38] mtaylor, can it be /etc/ssh/ssh_config? [23:39] mtaylor: but that won't respawn the tunnel if ssh dies [23:39] correct [23:39] would like it to respawn the tunnel [23:39] oh - sorry, I was following your answer wrong [23:39] have keys setup for passwordless logins [23:43] yaboo: http://paste.ubuntu.com/739777/ is a quick and dirty cronjob that worked for me in the past... you might wanna work to make it a bit more robust though [23:44] m_3, thanks will look at it then