[00:04] <jetole> can someone think of a good name to give to someone who specializes in both high availability and disaster recovery?
[00:05] <jmedina> master?
[00:06] <ersi> "Jedi"
[00:06] <jetole> I like Jedi but I am thinking for a help wanted ad
[00:07] <jetole> presence availability architect?
[00:07] <jetole> lol
[00:07] <jmedina> just use his nick XD
[00:12] <JanC> HA & DR sound like opposite goals  ;)
[00:12] <JanC> well, opposite sources maybe  ;)
[00:14] <JanC> jetole: maybe "wanted: Jedi" (to attract attention) is a good title (with the qualities of HA & disaster recovery listed in smaller print)
[00:16] <JanC> although I think you might be looking for a white knight, and maybe two people who can do one of those well will be cheaper combined  ;)
[00:33] <jetole> JanC: I already broke the one person the boss asked for into three
[00:33] <jetole> lol
[00:33] <jetole> but thanks for the idea
[00:50] <mgw> anybody here know kerberos? #kerberos channel seems to be pretty inactive
[01:15] <SpamapS> mgw: maybe its because kerberos is so awesome, it just configures itself. ;)
[01:15] <mgw> SpamapS : definitely
[01:15] <mgw> it's the most intuitive, user friendly system.. since ldap
[01:16] <mgw> Which is why they work so nicely together
[01:16] <mgw> Do you have much experience with it?
[01:16] <mgw> in particular kerberos+ldap
[01:17] <SpamapS> mgw: no I've never fully experienced the shimmering beauty of kerberos+ldap without the glorious addition of Microsoft's AD on top of it. ;)
[01:17] <mgw> ah, i'm sure that makes it so much easier ;-)
[01:17] <twb> #kerberos has a hard-on for AD anyway
[01:18] <twb> They aren't interested in helping MS haters
[01:18] <mgw> Is there a better alternative?
[01:18] <twb> mgw: AFAIK kerberos is the only secure way to run a network filesystem, for example
[01:19] <twb> mgw: but hey, if you trust your LAN, it doesn't matter so much
[01:19] <mgw> we're using it for user auth
[01:19] <mgw> supposedly ldap alone isn't so great
[01:19] <twb> mgw: FWIW I use a homogeneous openldap network with ldaps and slapo-ppolicy(5), which is OK
[01:20] <twb> I wouldn't run ldap-only in the conventional layout, where root on the client machines has read access to the password hashes
[01:20] <twb> Not in a security-sensitive network, anyway.
[01:21] <mgw> ok
[01:24] <twb> Broadly speaking if you aren't using TGTs (i.e. kerberos), you can either have everyone send cleartext passwords (over TLS) all the way back to the LDAP server, OR you can have the individual authenticators get the hash from the LDAP server and then compare it to the password themselves
[01:25] <twb> The latter approach means the password is never transmitted cleartext (over TLS) over the wire, but IMO it's better to trust TLS than to trust whatever lowest-common-denominator hashing algo you can get all the authenicators to sign off on, since that's probably MD5 or worse
[01:27] <SpamapS> oi.. mysql cluster server and mysql 5.5 just don't want to play together
[01:30] <mgw> twb: I'll stick with kerberos, but I need to figure out where this syntax error is coming from while initializing the realm
[01:31] <twb> mgw: oh sorry, didn't realize you already had krb
[01:31] <twb> mgw: what's the error?
[01:33] <mgw> kdb5_ldap_util: Invalid syntax while creating realm 'FOO'
[01:33] <mgw> kdb5_ldap_util create -s -D cn=admin,dc=foo -H ldap://127.0.0.1
[01:33] <twb> Hum
[01:33] <twb> -H ldapi:/// ?
[01:34] <mgw> tried that too
[01:34] <mgw> i'm successfully authenticating either way
[01:34] <twb> That's probably not the actual problem tho, it's just better to use a socket if you've got it
[01:34] <twb> k
[01:34] <twb> Incidentally I use o=Company instead of dc=foo,dc=bar,dc=baz because the former is shorter :-)
[01:35] <mgw> You will be prompted for the database Master Password.
[01:35] <mgw> It is important that you NOT FORGET this password.
[01:35] <mgw> Enter KDC database master key:
[01:35] <mgw> Re-enter KDC database master key to verify:
[01:36] <twb> mgw: if you have a multi-line transcript, pastebin it
[01:39] <mgw> https://gist.github.com/ce3013240c5abb9d240b
[01:39] <mgw> shall I paste my krb5.conf too?
[01:40] <mgw> https://gist.github.com/9662de14724a0526bd77
[01:41] <mgw> twb: ^
[01:45] <twb> I can't see what's wrong there
[01:45] <twb> Except maybe [domain_realm]is supposed to be [FOO] or something?
[01:45] <twb> No I'm thinking of line 8, FOO=
[01:50] <mgw> twb: i've got it working fine on another sandbox, and I can't see anything significant different
[01:51] <twb> krb likes to be magic wrt DNS -> krb domain
[01:52] <twb> Maybe the DNS settings are slightly different, or e.g. "hostname --fqdn" doesn't give the same thing -- something like that
[01:57] <mgw> my fqdn is admin02.xxx.internal
[02:36] <RoAkSoAx> .win 11
[02:36] <twb> RoAkSoAx: bzzt, I'm not irssi
[02:37] <RoAkSoAx> lol
[03:29] <philipballew> Question: Where is a good guide on setting up my own vpn server?
[03:30] <jeeves_moss> can someone reccomend me a good "howto" for setting up master/slave Bind9 servers?
[03:31] <qman__> philipballew, the server guide
[03:31] <philipballew> !vpn
[03:31] <qman__> https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
[03:32] <philipballew> qman__, thanks. This looks easy enough
[03:32] <qman__> as long as you're vaguely familiar with generating certificates, it is
[03:33] <qman__> there's a few choices to make like tap/tun, routed/bridged
[03:33] <qman__> and some networks require pushing extra routes or whatever, but it's pretty simple
[03:33] <philipballew> i have never set up a vpn before
[03:34] <philipballew> But I have done RSA ssh keys before
[03:34] <patdk-lap> you can use openvpn to make just about anything
[03:34] <patdk-lap> the biggest advantage of it is, no mtu limits, vs other vpn methods
[03:35] <patdk-lap> it can also be a disadvantage, but easy to compensate for if you want
[03:35] <philipballew> patdk-lap, what does that mean?
[03:35] <qman__> IMO the biggest advantage is ease of use
[03:35] <qman__> runs on single port, clients with GUI for windows and linux
[03:35] <patdk-lap> qman__, ya, and it's easier to use cause of the lack of mtu limit
[03:36] <patdk-lap> hmm, I have never seen gui clients for it
[03:36] <patdk-lap> I know they made that shell wrapper for it on windows
[03:36] <qman__> has a module for network-manager-gnome, and there's the openVPN GUI for windows
[03:37] <patdk-lap> those all just wrap the commandline thing though
[03:37] <qman__> installed by default on ubuntu now, makes it real easy
[03:37] <patdk-lap> windows is still a pain though, have to set, run as admin
[03:38] <qman__> yeah, UAC puts a hitch in
[03:38] <qman__> but there's also the option of enabling the service for an automatic connection in the background
[03:38] <qman__> just with the GUI could communicate with it
[03:38] <qman__> wish*
[03:38] <philipballew> So I cant change the port it uses>
[03:38] <philipballew> ?
[03:38] <qman__> you can
[03:39] <qman__> 1194 is just the default
[03:39] <patdk-lap> lots of people use 443
[03:39] <philipballew> alright. ill need to see if i can open that remotely
[03:39] <patdk-lap> I have mine setup to try a udp port first, then fallback to 443 tcp
[03:39] <qman__> it can run over tcp, but udp is the default, and bridge mode only works over udp
[03:40] <patdk-lap> qman, not true
[03:40] <patdk-lap> everything about openvpn works no matter what it's over
[03:40] <patdk-lap> be it udp or tcp
[03:40] <qman__> recent change? all the documentation I read said as such
[03:40] <patdk-lap> the issue with tcp comes with tcp inside of tcp
[03:40] <patdk-lap> well, it will work, defently won't be optimal
[03:41] <patdk-lap> cause packets that are made to have loss, and stuff, will retry over tcp forever basically
[03:41] <qman__> mine at home is set as a bridge over a tap device
[03:41] <patdk-lap> I rarely use bridge mode, I don't see the point
[03:42] <patdk-lap> why do I want broadcast/multicast traffi hogging the vpn
[03:42] <qman__> I use it to connect wireless clients to the LAN, as my wireless APs are on a different network
[03:42] <qman__> operating a public wifi here
[03:43] <qman__> while not absolutely needed, it's convenient for games and printers and other weird and/or old software
[03:43] <patdk-lap> well, if it's local, that is one thing
[03:43] <patdk-lap> I was thinking normal vpn usage, at crappy hotel/hotspot
[03:43] <qman__> I use it from the internet too, but that's where the majority of the use is
[03:44] <philipballew> So after I make all the keys I'll need to move the privite one to my desktop huh?
[03:44] <qman__> no
[03:44] <patdk-lap> na
[03:45] <patdk-lap> you need the private/public + ca
[03:45] <qman__> you need to copy the CA certificate and the client key and certificate
[03:45] <qman__> the server key stays on the server only
[03:45] <patdk-lap> the private one is the only one that must be secured though
[03:45] <patdk-lap> both for the server and clients
[03:45] <philipballew> well I will do all this on my server and then ill have a key i need to use to connect to the vpn with correct?
[03:46] <qman__> correct
[03:46] <qman__> you will need four files for the client
[03:46] <qman__> CA cert, client cert, client key, openvpn config
[03:46] <qman__> the client key is confidential to the client and should be transmitted securely and kept private
[03:46] <patdk-lap> and maybe a tls key
[03:46] <patdk-lap> or what do they call it, for the dh
[03:46] <philipballew> ill use sftp or ssh
[03:47] <qman__> both certs are safe to post publicly, the config technically could be but you probably don't want to
[03:47] <philipballew> https://help.ubuntu.com/10.04/serverguide/C/openvpn.html under client certificates is what I enter into my desktop then?
[03:48] <qman__> yes
[03:48] <qman__> my setup doesn't have a ta.key
[03:48] <patdk-lap> ah, the tls-auth dh stuff
[03:49] <qman__> I didn't have pkitool either
[03:49] <patdk-lap> it's really only useful if someone dos/ddos you
[03:49] <qman__> looks like it makes it easier to add clients
[03:49] <patdk-lap> I'm using easypki I think, that is pretty painless
[03:49] <philipballew> so
[03:49] <philipballew> cd /etc/openvpn/easy-rsa/
[03:49] <philipballew> source vars
[03:49] <philipballew> ./pkitool hostname
[03:50] <qman__> mine I just look up my history and grab the openssl commands
[03:50] <patdk-lap> . ./vars
[03:50] <philipballew> should be entered into my desktop and not the server?
[03:50] <qman__> no
[03:50] <qman__> all of that is done on the server
[03:50] <philipballew> okay
[03:50] <qman__> you simply copy the resulting files to the desktop
[03:50] <philipballew> ah, alright
[03:51] <qman__> my VPN server was set up with and still runs 8.04
[03:51] <qman__> so it was a little different
[03:52] <philipballew> qman__, Mines 10.04
[03:52] <patdk-lap> I just upgraded my main firewall/vpn hub server 2 weeks ago from 8.04 xen domu to 10.04
[03:52] <patdk-lap> just did an rsync, and it was running :)
[03:53] <patdk-lap> freaking iptables on that machine has over 3k lines
[03:53] <qman__> ha
[03:53] <patdk-lap> it has 14 interfaces
[03:53] <qman__> I've got a little script on mine to handle port forwarding, 4 interfaces
[03:54] <patdk-lap> oh, this is no nat at all, or port forwardings
[03:54] <patdk-lap> just access restrictions between interfaces
[03:55] <qman__> heh
[03:55] <philipballew> so with what im setting up i need to have Bridging enabled as well?
[03:55] <qman__> I just have the house LAN, cordoned off wifi with internet-only access, and restricted LAN for the business point of sale machines
[03:56] <qman__> put the script together because I used to be on DHCP, so I had to make it easier when the IP would change
[08:50] <jamespage> morning all
[09:01] <Randolph> hi all
[09:16] <lynxman> jamespage: morning o/
[10:44] <koolhead11> hi all
[10:50]  * uksysadmin feels sorry for koolhead11 as nobody is saying hi
[10:50] <uksysadmin> hi koolhead11
[10:53] <koolhead11> hey uksysadmin :D
[10:57] <uksysadmin> when pxe booting precise from orchstra - I presume that glaringly big bug of having no feedback during install apart from tailing the logs on the orchestra server is a known one?
[11:00] <koolhead11> uksysadmin: best answer will be check at launchpad and see if its there
[11:00] <koolhead11> if not file one :P
[11:01] <uksysadmin> I'm not entirely sure what bug I'm filing - whether its a bug in Orchestra, a bug in Precise installation, or whatever the pxe boot image I'm using
[11:01] <uksysadmin> certainly can't find a bug related to it
[11:03] <koolhead11> uksysadmin: so orchestra works without error when u using onekenthomas
[11:03] <koolhead11> oops
[11:03] <koolhead11> oneiric
[11:04] <uksysadmin> yes - I can pxe boot stuff in Orchestra in Oneiric  and do some stuff
[11:04] <uksysadmin> I've just done a fresh install of Precise, updated and install Orchestra
[11:04] <uksysadmin> Booting a machine using it and during the package installation the screen is just black
[11:04] <koolhead11> uksysadmin: i am not sure if precise is currently even in alpha or not
[11:04] <uksysadmin> tailing the logs on orchestra I see it doing deboostrap stuff etc
[11:04] <uksysadmin> its alpha-1
[11:05] <uksysadmin> I'm aware of it being buggy - but do Ubuntu devs want to know about this stuff?
[11:05] <uksysadmin> its the difference between known issues and unknown ones
[11:09] <koolhead11> uksysadmin: file a bug then. what are you waiting for?
[11:09] <koolhead11> linking it to precious alpha :D
[11:17] <uksysadmin> lol ok ok ;-)
[11:23] <uksysadmin> There - someone will reply "You're expecting an alpha-1 release of some software booting more pre-alpha code and you expect what?" ;-)
[11:24]  * koolhead11 kicks uksysadmin 
[11:24]  * koolhead11 wonders if eveyone is having beer early weekend today
[11:27] <uksysadmin> in 30 mins, yes...
[11:28] <uksysadmin> It's Friday - thought it was the law to go the pub at lunch?
[11:28] <koolhead11> well i have 3 more hours at work
[11:29] <uksysadmin> pub 30 mins, 1 hour lunch, 3 hours left, then I'm off for a week :)
[11:54] <jamespage> Daviey: can I get a second opinion on SRU'worthness of bug 659439
[12:07] <Daviey> jamespage: right, so some people will be using it together.
[12:07] <Daviey> If they didn't install mysql-server, they'd have a working setup now..
[12:08] <Daviey> If it gets dropped from a Recommends to Suggests, for example, it would be freed up for removal as an update
[12:12] <jamespage> Daviey: well they would have that problem on release upgrade anyway
[12:14] <Daviey> jamespage: Hmm, i'd say the fact that people can work around it by doing, apt-get --no-install-recommends install rsyslog-mysql , says to me that it isn't High Impact enough.
[12:15] <jamespage> Daviey: I tend to agree
[12:15] <Daviey> (i'd say also, not obviously safe.)
[12:16] <Daviey> I mean, you might expect something to go wrong between distro upgrades, but not sru updates.
[12:16] <jamespage> yeah - agreed; I'll mark that as won't fix and comment appropriately
[12:18] <Daviey> jamespage: I'm not blocking it, you understand.. Just the verification process work involved, and potential excitement of breaking systems concerns me.
[12:21] <jamespage> Daviey: gotcha
[12:38] <`-`> #ubuntu ops are nazi fags. please remember to use your brain not that other bit of the anatomy the #ubuntu team appears to think is best.
[12:41] <jamiemill> I need some aws help but ##aws is a bit sleepy. I'm going mad trying to work out why an ELB healthcheck is failing. When I curl the page via {public DNS}:80{healthcheck URL} I get a perfectly fine response. Why could it be?
[12:42] <onre> is it TCP or HTTP healthcheck?
[12:42] <onre> and if it's HTTP, what status code do you get for your response?
[12:48] <jamiemill> onre It's HTTP. I get 200 when I use curl
[12:50] <onre> if you just want to make it work right now, change it to TCP :p
[12:50] <jamiemill> ok will try
[12:51] <jamiemill> onre yeah, now it says in service!
[12:51] <onre> yes :) TCP check only tries to connect to that port without any request, so if that works, it marks the instance as healthy :)
[12:52] <zul> jdstrand:  can you review the openstack in binary new today im getting some flack because of it
[12:52] <onre> i recommend, though, that you take a look at your http server logs to see whether these check requests get logged and possibly filter them away somehow
[12:52] <onre> so that you avoid having the healthcheck flooding your logs :p
[12:54] <jamiemill> onre Actually - i just checked the logs and I see "[02/Dec/2011:12:50:40 +0000] "GET / HTTP/1.1" 301 538 "-" "ELB-HealthChecker/1.0""
[12:54] <jamiemill> so there's a 301 going on
[12:56] <onre> allright!
[12:56] <onre> that explains
[12:56] <onre> http statuscheck will fail if the response code is not 200
[12:56] <onre> you might consider putting an empty test file in place and requesting that with the check
[12:56] <onre> or something similar
[12:56] <onre> possibly a piece of code that checks for db connectivity etc
[12:57] <onre> so that you get a good idea of whether your frontend instance actually is really in service, or if it only responds to port 80 :p
[12:58] <jamiemill> onre It's a shame I can't actually see the headers from the last healthcheck. then i'd know where it's redirecting to!
[12:58] <onre> well if you request / using curl and some verbose flag or something, you should see them?
[12:59] <jamiemill> onre Yeah but using curl, I was getting 200, not 301.
[13:00] <onre> yes but curl probably didn't show you the redirect phase
[13:00] <jamiemill> onre This is a wordpress site so maybe it's PHP redirecting, not apache. I'm trying a plain HTML file in the docroot now as the target
[13:00] <jamiemill> ah
[13:00] <onre> but instead only gave you the "end result" of the redirect
[13:01] <jamiemill> onre No actually I think I am seeing the truth, I was using curl -I to just get the headers
[13:02] <jamiemill> OK looks like using a plain html file is working. before I was requesting a wordpress page, so god knows what was going on. so many plugins etc
[13:04] <onre> oh yeah :)
[13:04] <jamiemill> onre Thanks a million. Looking in the logs was the clue i needed :-)
[13:05] <onre> no prob :p
[13:05] <onre> success by accident
[13:10] <afeijo> how to delete files older than 30 days? I try find -atime +30 | ls -laht, but it returns all files
[13:10] <afeijo> I mean -ctime param
[13:10] <patdk-wk> why ctime?
[13:10] <patdk-wk> ctime = creation time
[13:10] <afeijo> yes, I want to delete old files ...
[13:10] <patdk-wk> atime = access time
[13:10] <patdk-wk> mtime = modification time
[13:10] <afeijo> those files are logs
[13:10] <patdk-wk> normally a file isn't OLD if it was created awhile ago, but updated today
[13:10] <afeijo> no access nor moditifation
[13:11] <patdk-wk> all files have all 3 times
[13:11] <patdk-wk> dunno, I always use mtime :)
[13:11] <patdk-wk> oh ya, doesn't time = minutes? not days
[13:11] <afeijo> ok, I try with mtime +30, it still returns today files?
[13:11] <patdk-wk> na, time = days, mmin = minutes :)
[13:12] <patdk-wk> works for me
[13:12] <patdk-wk> find . -mtime +1 -delete
[13:13] <memoryleak> Hi. I have following errors when using apt-get: http://pastie.org/2954797
[13:13] <afeijo> patdk-wk, thanks, it worked
[13:14] <memoryleak> I tried many tips from the internet, dpkg-reconfigure locale, export LC_* in .bashrc none of it helped permanently
[13:14] <patdk-wk> afeijo, I bet your logs contain several days of stuff, and that is why ctime isn't working, cause the log was made several days ago
[13:14] <patdk-wk> default is 1week per log file
[13:14] <afeijo> find | ls -lah output weird results tho
[13:15] <patdk-wk> why wouldn't it be?
[13:15] <afeijo> no idea
[13:15] <andol> patdk-wk: Well, isn't ctime really short for change time, and not create time?
[13:15] <patdk-wk> try, find . -mtime +5 -ls
[13:15] <patdk-wk> no, ctime = creation, mtime = modification/change
[13:15] <patdk-wk> don't you know how to use man find?
[13:16] <afeijo> :$ I will
[13:18] <andol> patdk-wk: Well, in my book ctime counts when the underlaying inode was most recently changed, which of course in my cases happended during the file's creation.
[13:18] <patdk-wk> heh? what manual did you read that defined it like that? it's always been creation time, according to stat
[13:19] <patdk-wk> hmm, maybe by change they mean inode change
[13:20] <patdk-wk> noticing it says change also, my history it was always creation
[13:20] <andol> patdk-wk: Trying doing something like chmod on a file, and see what it does to your ctime.
[13:21] <patdk-wk> that would update the inode
[13:21] <andol> patdk-wk: Exactly
[13:21] <patdk-wk> and I'm guessing that is what it means, time since last inode change
[13:21] <patdk-wk> but then, my history of this comes from the 80's
[13:22] <andol> During the 80's I hadn't even heard about ctime, or mtime either for that matter :)
[13:22] <patdk-wk> used to it being called creation, but ya, that is since inode changed
[13:55] <zul> good morning
[13:56] <mgw> zul: good morning
[14:33]  * koolhead11 needs some cyber-cake 
[14:34]  * koolhead11 heard people are having party tonight
[14:54] <hallyn> zul: bug 372001, do you have any objection to my pushing a patch to have libvirt upgrades not install /etc/libvirt/qemu/networks/autostart/default.xml ?
[14:54] <mgw> anybody know of utility scripts to both add a principle vi kadmin and add the user to ldap?
[14:55] <mgw> as well as delete
[14:55] <zul> hallyn: im good with it
[14:55] <hallyn> thx - did you have any other changes to queue up?
[15:04] <SpamapS> oh mysql.. why must you hard code /etc/mysql in your code base?
[15:04]  * SpamapS shakes mysql-cluster-7.0 like a polaroid picture
[15:05] <zul> SpamapS: welcome to hell population you
[15:05] <zul> hallyn: nope
[15:05] <SpamapS> zul: your support is appreciated Mr. Demon ;)
[15:06] <zul> heh i liked it when homer goes to hell and his punishment was to eat all the donoughts in the world
[15:08] <lynxman> SpamapS: hardcoding paths, the way of the future... not
[15:09] <SpamapS> lynxman: hardcoding paths is webscale
[15:09] <lynxman> SpamapS: it's totally webscale, it has scaling juice written all over it
[15:10] <zul> SpamapS: i think the libmyslclient is bit different in mysql-cluser as well fyi
[15:17] <SpamapS> zul: its not
[15:18] <SpamapS> zul: all special sauce is confined to libndbclient
[15:18] <zul> SpamapS: cool
[15:18] <SpamapS> zul: I'm slicing mysql-cluster-7.0 down to just the server
[15:18] <zul> i would just rather drop mysql-cluser all together myself but thats another matter
[15:18] <zul> SpamapS: gotcha
[15:19] <SpamapS> zul: but unfortunately, it doesn't understand 5.5's my.cnf .. so have to *not* read /etc/mysql/my.cnf
[15:19] <SpamapS> easy enough, I'm patching that to be /etc/mysql-cluster
[15:19] <zul> SpamapS: hah hah...
[15:34] <fly_80> hi to all
[15:35] <fly_80> i installed imagemagick on a new ubuntu server... when trying to use convert, i got an error
[15:35] <fly_80> convert: no decode delegate for this image format `/tmp/magick-daFyRHfn' @ error/constitute.c/ReadImage/566.
[15:35] <fly_80> what does it mean? i missed some lib?
[15:38] <SpamapS> interesting... mysql cluster 7.2 will be mysql 5.5 based..
[15:40] <SpamapS> I wonder if it will be GA by April.. might be worth moving to it
[15:44] <SpamapS> really screws everything up that libmysqlclient and mysqld have to share the same stupid config file
[15:46] <ikonia> SpamapS: are you sure on that
[15:46] <hallyn> jdstrand:  have you had any time to look at the (tiny) patch on bug 869553 ?
[15:47] <hallyn> I'd like to push it along with the fix for bug 372001
[15:50] <SpamapS> ikonia: sure on what? that libmysqlclient and mysqld have the same config file? yes I'm certain they both read /etc/mysql/my.cnf
[15:50] <SpamapS> ikonia: that they read different sections is only a consolation prize
[15:50] <ikonia> SpamapS: I thought you could seperate out client/server options in my.cnf though
[15:54] <hallyn> eh, nm, i'll push the one for now
[15:58] <SpamapS> ikonia: yes you can, but that doesn't matter because the [mysqld] for mysql-server 5.5 break mysql-cluster-server-5.1, and both have to use /etc/mysql/my.cnf
[15:59] <ikonia> in what way does it break it ?
[16:07]  * Daviey spies Horizon in NEW queue
[16:09] <Daviey> (nice one zul)
[16:09] <zul> Daviey: hopefully it will get out of there today
[16:12]  * zul reminds himself to help jdstrand drunk in budapest
[16:13] <Daviey> heh
[16:14] <Daviey> zul: I haven't looked, but are you handling the rename from dashboard?
[16:15] <zul> i will when it gets through
[16:15] <Daviey> rocking
[16:18] <hallyn> Daviey: pushing netcf today?
[16:19] <Daviey> hallyn: on it
[16:20] <hallyn> \o/
[16:24] <Daviey> hallyn: done, wedged in NEW queue
[16:24] <Daviey> (just wait now)
[16:50] <smoser> zul, were you going to send something to boto on connect_nova ?
[16:50] <smoser> or connect_ec2_endpoint
[16:55] <tgardner> jamespage, how do I twiddle cobbler so that I can get a Precise ISO as one of the PXE install choices? is it by editing the profiles from the cobbler_web/profile/list menu ?
[16:57] <jamespage> tgardner: its a bit more involved than that
[16:57]  * jamespage digs for docs...
[16:59] <smoser> tgardner, try cobbler-ubuntu-import
[16:59] <smoser> see its usage
[17:00] <tgardner> smoser, cool, thanks.
[17:00] <tgardner> jamespage, ^^ I can likely figure it out from here.
[17:01] <jamespage> smoser,tgardner:: might need a tweak to work on oneiric for precise; I had to hack the cobbler import process on aldebaran todo that (not elegnant but works)
[17:02] <smoser> oh? jamespage ?
[17:02] <jamespage> smoser: yeah - I found that yesterday
[17:02]  * jamespage looks at his notes
[17:04] <jamespage> smoser: --os-version=precise is not recognised as a supported release in cobbler on oneiric.
[17:04] <jamespage> for cobbler import xxxx that is
[17:05] <RoAkSoAx> jamespage: SRU :)
[17:05] <jamespage> RoAkSoAx, agreed
[17:06] <smoser> who had/has the hard coced list ?
[17:06] <smoser> coded even.
[17:06] <jamespage> hrm - cobbler does - codes.py and manage_import_debian_ubuntu.py have lists of recognised releases for ubuntu
[17:07] <smoser> and when we fix, please fix with: ubuntu-distro-info --supported
[17:07] <smoser> as that (i think) will get SRU'd
[17:07] <jamespage> lemme report the bug at least
[17:08] <tgardner> jamespage, please lemme know what the bug number is so that I can follow it.
[17:09] <RoAkSoAx> jamespage: gonna prepare the SRU then
[17:10] <jamespage> RoAkSoAx: I'll stick it on my list :-)
[17:11] <jamespage> smoser: the orchestra script that imports the mini iso does that
[17:12] <smoser> jamespage, does what ?
[17:12] <jamespage> uses ubuntu-distro-info --supported
[17:12] <smoser> oh. uses that tool.
[17:12] <smoser> right.
[17:13] <smoser> so we need to make coces.py and/or manage_import_debian_ubuntu.py do it aslo
[17:13] <RoAkSoAx> jjajaq!
[17:14] <RoAkSoAx> baaah
[17:14] <koolhead17> hi all
[17:14] <jamespage> smoser: well maybe
[17:14] <RoAkSoAx> smoser: I don't agree with you because other distros do no have ubuntu-distro-info --supported
[17:15] <jamespage> what is someone wants to deploy an unsupported distro version?
[17:15] <smoser> well, that would be a ubuntu patch then :)
[17:15] <RoAkSoAx> smoser: but we could make use of it, and if doesn't exists, fallback to the real list
[17:15] <smoser> but either way, can "if available use it, otherwise hard coded list"
[17:15] <smoser> the list of ubuntu releases is stupidly hard coded *way* too many places. we need to not have that.
[17:16] <RoAkSoAx> smoser: yeah
[17:17] <hallyn> zul: another tiny q (you are my libvirt sanity check :)  - do you see any reason not to add a Suggests: cgroup-lite | cgroup-bin to libvirt-bin?
[17:17] <RoAkSoAx> smoser: well that's precise, for oneiric I'll just hardcode the release
[17:17] <jamespage> tgardner, RoAkSoAx, smoser: bug 899276
[17:18] <RoAkSoAx> jamespage: what/'s the bug number?
[17:18] <tgardner> jamespage, thanks
[17:21] <smoser> ugh. roaksoax, if you hard code the release for oneiric, then you'll have to touch it again in 6 months.
[17:23] <jamespage> smoser: ubuntu-distro-info --all would be better
[17:23] <smoser> right.
[17:24] <smoser> its argubable if you should complain about "not supported, sorry" or not
[17:24] <smoser> but i dont really care either way
[17:25] <RoAkSoAx> I think it should only be the supported ones
[17:30] <zul> hallyn: no reason
[17:38] <RoAkSoAx> jamespage: fix uploaded
[17:42] <smoser> RoAkSoAx, the reason you would want more than just --supported, is in this case the person has provided you with a CD
[17:42] <smoser> so, its fairly clear they're interested in using the release they tell you they want to use.
[17:43] <smoser> its not like they were just asking cobbler "which release do you think i should install?"
[17:46] <RoAkSoAx> smoser: right, but for unsupported releases, the archives wont work (they would have to change to old-releases.etc.etc)
[17:46] <jdstrand> hallyn: sorry for the delay, I will take a look at it now. got tied up with a bunch of other stuff
[17:46] <RoAkSoAx> smoser: so that means they would have to do lots of tweaking
[17:46] <smoser> still not cobbler's decision to make, really.
[17:46] <RoAkSoAx> smoser: but either way, we should only support those supported releases
[17:47] <smoser> RoAkSoAx, if you provide cobbler with a full ISO of an old release, an insall should actually work
[17:47] <smoser> right?
[17:48] <smoser> it should install and boot just fine. thats really all cobbler is going to do anyway.
[17:57] <RoAkSoAx> smoser: yeah but you need to modify the preseed to use the imported ISO as mirror
[17:57] <smoser> assuming you're using a preseed.
[17:57] <smoser> :)
[17:58] <smoser> basically i dont' see any good reason to be annoying at "cobbler-import" time.
[17:58] <RoAkSoAx> smoser: yeah I agree
[17:58] <RoAkSoAx> smoser: but my point being is that makes no sense for someone to import a CD into cobbler of a non-supported release
[17:58] <smoser> that is their choice.
[17:59] <RoAkSoAx> cause in order to be able to install they will either need to point to old-releases or the local mirror of the imported CD in cobbler
[17:59] <smoser> maybe they're trying to reproduce a bug on karmic
[17:59] <RoAkSoAx> and that means modify the defaults from the preseed
[17:59] <smoser> there are lots of reasons to do such things.
[17:59] <smoser> there is no reason at cobbler-import time to make someone's life harder than it is.
[18:00] <smoser> they're probably aware (or will find out soon) that this release is not supported.
[18:00] <RoAkSoAx> smoser: right, but cobbler-import iwll not download and import an un-supported release, will it?
[18:00] <RoAkSoAx> smoser: I think it shouldn't
[18:01] <smoser> cobbler-import probably would not. as the urls would probably break.
[18:01] <RoAkSoAx> smoser: exactly
[18:01] <smoser> wait... cobbler-import is fed an ISO.
[18:01] <smoser> cobbler-ubuntu-import downloads cds.
[18:01] <smoser> cobbler-ubuntu-import will fail if they're using that.
[18:02] <RoAkSoAx> smoser: yesmodownloads all the supported ones
[18:02] <smoser> but if they get past that, and download a cd of an unsupported distro, theres erally no point to tell them "YOU CANT DO THAT"
[18:02] <smoser> so cobbler-import (as opposed to cobbler-ubuntu-import) should not complain about unsupported release.
[18:03] <smoser> so the "known releases" values in cobbler itself should not be limited to the current definition of supported.
[18:03] <RoAkSoAx> smoser: smos/me/me rebooting the router.. this is just way to slow
[18:04] <jdstrand> hallyn: commented
[18:09] <RoAkSoAx> smoser: right, cobbler-ubuntu-import should only import supported
[18:09] <RoAkSoAx> smoser: and if anyone wants to imported something not supported to cobbler is up to them
[18:19] <hallyn> jdstrand: thanks
[18:19] <jdstrand> I closed out the sdl one too
[18:20] <hallyn> great
[18:59] <hallyn> and away it goes
[19:38] <adam_g> zul: any idea why, when doing a 'bzr bd -S' on the nova package tree, dh_auto_clean fails because i dont have python-eventlet installed?
[19:38] <zul> adam_g: thats new to me
[19:40] <adam_g> hmm
[19:44] <jdstrand> zul: quantum accepted with this bug #899352
[19:45] <zul> jdstrand: cool thanks
[19:45] <zul> next.. :)
[19:45] <jdstrand> yes
[20:02] <stgraber> hallyn: ping, where's the meeting?
[20:02] <hallyn> stgraber: doh!  right here I guess :)  (i'd forgotten, thanks for the ping)
[20:03] <hallyn> jjohansen: around?
[20:03] <jjohansen> hallyn: yep
[20:03] <jjohansen> hallyn: aren't you off today?
[20:04] <hallyn> i don't think so.
[20:04] <hallyn> ACTION checks
[20:04] <jjohansen> hallyn: oh, okay Daviey was asking that question last night
[20:04] <hallyn> there was a snafu with my holiday scheduling (caused by me)
[20:04] <jjohansen> ah
[20:05] <hallyn> yeah it was removed from admin but not the calendar apparently.  oops.
[20:05] <hallyn> (not that i'd mind)
[20:05] <hallyn> ok, so frankly i'm not quite sure where to start.
[20:06] <hallyn> jjohansen: do you have any updates on the apparmor work this cycle?
[20:06] <hallyn> (as pertains to lxc)
[20:06] <jjohansen> hallyn: sure
[20:07] <jjohansen> so we split the work out into what is essential, and high priority etc
[20:07] <jjohansen> the essential bits are the fake stacking and the base permission rework, and I think mount rules
[20:08]  * jjohansen needs to find the blue prints
[20:08] <jjohansen> anyway I have been working on the fake stack, I wanted it to be done this week, but I am still fixing bugs
[20:09] <jjohansen> so hopefully next week you will be able to try it with lxc, and give me feedback
[20:09] <hallyn> (just for historical reference: http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html was last time i considered this)
[20:10] <hallyn> cool
[20:10] <hallyn> so that addresses a container being able to load a policy of its own, but not being subject to host policy any more, right?
[20:10] <jjohansen> this won't have the extra mediation bits, but will allow the child to have its own profile namespace separate from the confining task
[20:10] <hallyn> right
[20:10] <jjohansen> right
[20:11] <hallyn> so, what about the "mount --move /proc /proc2; echo b > /proc2/sysrq-trigger" concern?
[20:11] <jjohansen> then I need to finish up the extend permission base work, so we can add the extra mediation you need
[20:11] <hallyn> is that for 12.04 then?
[20:12] <jjohansen> hallyn: at what level are you concerned, from within the container, right?
[20:12] <hallyn> unless i'm misunderstanding i thought you were punting on that for 12.04 :)
[20:12] <hallyn> yes
[20:12] <stgraber> jjohansen: so about "own profile namespace", what do we need to do from an upstream lxc point of view? I guess we need to change our container init code to do some magic?
[20:12] <jjohansen> hallyn: at a minimum we will have mount rules to control where the mount can go
[20:13] <hallyn> ah, cool
[20:13] <hallyn> I need to track all this on wiki
[20:13] <jjohansen> hallyn: I would love to be able to make path rules conditional on the fs but I don't think that can make 12.04, the kernel should actually be able to do that when I am done
[20:13] <jjohansen> it will be the policy compilation bits that I am worried about completing
[20:14] <jjohansen> stgraber: yes
[20:14] <jjohansen> stgraber: basically you create the namespace you want, and tell apparmor to stack it
[20:15] <jjohansen> stgraber: I have added to simple utility programs to wrap that, or you can look at what they do and make the calls yourself
[20:15] <jjohansen> stgraber: though at least for aa-namespace I would rather you use that, as I am trying to abstract out the use of the old interface, and you will pick up the new interface once it gets added
[20:16]  * jdstrand reads backscroll
[20:16] <jjohansen> stgraber: under the old interface you don't have control of autoremoval, or #of profiles, amount of memory it can use etc.  Under the new interface you will, very similar to setting up a C group
[20:17] <jjohansen> s/C group/cgroup/
[20:17] <stgraber> hallyn: so that'd need to be added to lxc-init I'd guess and potentially add a new config option (to turn on/off) + add a build option?
[20:17] <hallyn> btw, so as far as Daviey's concern (a document on lxc security), i will create a wiki page, outline issues at top level, and mitigations at second level
[20:17] <hallyn> stgraber: not lxc-init...  lxc-start ?
[20:17] <hallyn> lxc-init is the fake-init for application containers (lxc-execute)
[20:18] <stgraber> hallyn: argh, right, lxc-start :)
[20:18] <hallyn> stgraber: we shoul dmake sure to doc this in a blueprint...
[20:19] <hallyn> jjohansen: thx for that update
[20:20] <hallyn> stgraber: jjohansen: so actually i think i'll go ahead and go create the wiki, email you for comment, and we can talk thereafter?
[20:20] <hallyn> (I'm not sure I have any more questions until I think it through in a structured way)
[20:20] <jjohansen> hallyn: sounds good
[20:20] <stgraber> hallyn: sounds good. I'll attach my current apparmor profile to it too, ideally we should try to have something a bit more complete for 12.04
[20:20] <jjohansen> hallyn: I did want to run past you how we are looking at structuring policy for this
[20:21] <hallyn> jjohansen: ah, ok (listening :)
[20:21] <jdstrand> hallyn, stgraber: fyi, we are tracking these bits in https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers and https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework, which is part of the http://status.ubuntu.com/ubuntu-precise/group/topic-precise-arm-server.html topic
[20:21] <jjohansen> hallyn, stgraber: it is going to require doing somethings a little different, but it comes out of talking to viro
[20:23] <jjohansen> basically the idea is that you split the profile into two functional bits, the setup phase and the mediation of the container.  Paths in the setup profile are relative to the original root, and paths in the mediation profile are based on the container namespace
[20:23] <jjohansen> for disconnected files, the mediation is based off of the implicit labeling
[20:24] <jjohansen> or maybe delegation, but I can't see the delegation bits being ready for 12.04
[20:24] <hallyn> implicit labeling?
[20:25] <jjohansen> hallyn: when a task opens an fd it labels it with its current label
[20:25] <hallyn> oh, ok.
[20:25] <hallyn> and that bit is new right?
[20:25] <hallyn> oh, no.  nm.  i was working around userspace.
[20:26] <jjohansen> yes and no, we have always done that but we have been planning on extending it, and will do the bits we need for containers
[20:29] <hallyn> ok, so we'll have mount controls to lock cgroups and proc/sys into place;  maybe cgroup virtual roots (doubtful);  and maybe seccomp2 to lock out some syscalls.
[20:29] <hallyn> this isn't looking too bad
[20:31] <hallyn> jjohansen: thanks, anything else?
[20:31] <jdstrand> s
[20:31] <jjohansen> hallyn: I think that is it for now
[20:32] <hallyn> jjohansen: great, thanks.  i'll work on that wiki over the next few days and email you and stgraber
[20:32] <stgraber> jjohansen: thanks
[20:36] <adam_g> zul: i tagged you as a reviewer for a quick merge into lp:ubuntu/nova
[20:37] <zul> adam_g: yay! thanks
[20:43] <dkn> why can i ssh into my server from one VM using - u username ssh hostname but i can't do it from another? both have their rsa public keys in the username authorized_keys folder but one asks me for a password when i log in?
[21:04] <jdstrand> zul: openstack-common accepted
[21:05] <zul> hurray for small miracles
[21:05] <jdstrand> heh
[21:32] <hallyn> smoser: do you know/recall why windows on euca needs a separate boot disk?  (as reported by various blogs)
[21:33] <smoser> umm... windows is silly ? and euca wasn't designed for that ?
[21:34] <smoser> but seriously, it probably has to do with how an ami (amazon machine image, the format of disk that you uplod to amazon) are used.
[21:34] <hallyn> is it still necessary on openstack? is what i think the q is :)
[21:34] <smoser> for instance-store images, you upload a partition image
[21:34] <smoser> then, the cloud provider (euca or ec2) take that and some magic to turn it into a disk image (with a partition ttable)
[21:35] <smoser> they never try to boot it by booting the MBR
[21:35] <smoser> so you just can't let windows boot itself
[21:35] <hallyn> smoser: ok, thanks
[21:35] <smoser> on openstack, though, if you boot an instance without a kernel and ramdisk (ari/aki), then openstack just tries to let the disk boot itself
[21:36] <smoser> so we publish "full disk images" that have grub installed in them and those are the best way to boot on penstack.
[21:36] <smoser> similar full disk images of windows shoudl/could work there
[21:36] <smoser> and euca could use a similar trick... i dont know.
[21:40] <achiang> smoser: yeah, the euca thing is a red herring. my real goal is to boot windows on openstack somehow
[21:41] <Daviey> achiang: Have you created a windows ami?
[21:41] <zul> achiang: it should be the same as the way you do it on eucalyptus, although you will run into issues since it assumes you are running linux (injecting keys etc)
[21:41] <achiang> Daviey: no, that's what i'm trying to figure out how to do
[21:42] <Daviey> achiang: it's not something any of the ubuntu folk have tested fwiw.
[21:42] <smoser> achiang, have you tried it ?
[21:42] <smoser> it really should "just work" as much as windows can just work
[21:42] <smoser> do an install in kvm.
[21:42] <achiang> smoser: i'm muddling along trying to follow instructions here: http://cssoss.wordpress.com/2010/05/05/uec-windows-instance-on-lucid-lynx-hack/
[21:42] <smoser> take the disk and upload it to openstack
[21:42] <achiang> smoser: but i guess i didn't realize that euca and openstack aren't the same thing
[21:43] <achiang> yeah, i've done the kvm installation part
[21:43] <achiang> the "upload it to openstack" part is what i'm getting hung up on
[21:43] <smoser> why?
[21:43] <achiang> well...
[21:43] <Daviey> I wonder if the qemu backing store breaks windows?
[21:43] <smoser> windows knows nothing about it
[21:43] <smoser> its a block device
[21:44] <achiang> am i supposed to use euca-bundle-vol somehow?
[21:44] <smoser> achiang, cloud-publish-image x86_64 my-windows-i-love-bill.img my-redmond-bucket
[21:44] <smoser> you can probably use glance commands to do the same thing. i'm not familiar with them off the top of my head. they are more direct, but i know this path well.
[21:45] <zul> smoser: it would be a good weekend project though :)
[21:45] <achiang> smoser: ok, and where does my-redmond-bucket come from? do i need to make it somehow?
[21:45] <smoser> no.
[21:45] <smoser> its a name. a s3 bucket that it willg et put into
[21:46] <achiang> here's a dumb question. can an openstack instance mount/boot/access a local cdrom/iso?
[21:48] <smoser> theres a thread on the mailing list
[21:48] <smoser> on that
[21:48] <smoser> i didnt follow it
[21:49] <smoser> achiang, serioulsly, just try it.
[21:49] <zul> achiang: yes it can assuming you are running Xenserver
[21:49] <smoser> i'm interested in knowing what happens.
[21:50] <achiang> smoser: yeah, i'm just trying to frontload questions here because i have a 7GB qemu disk image and a horribly slow uplink. :-/
[21:51] <smoser> achiang, run an instance and move the image there.
[21:51] <smoser> https://gist.github.com/1231973
[21:51] <smoser> start an instance with that, i do it with lucid
[21:51] <smoser> and then get your creds to the instance
[21:51] <smoser> and move the 7G disk there.
[21:51] <smoser> then you have fast network.
[21:53] <achiang> smoser: ok, thanks for all the help. i appreciate it
[21:53] <achiang> (and thanks others, too)
[21:55] <jdstrand> zul: swauth accepted with these bugs filed: bug #899411, bug #899410
[21:55] <smoser> does that gist make sense to you?
[21:55] <zul> jdstrand: thanks..
[21:56] <zul> jdstrand: i think ill be fueling your alcohol consumption next month
[21:56] <jdstrand> I will take you up on that
[21:58] <achiang> smoser: no, the gist doesn't really make sense yet, but i'm assuming after more homework on my part it will become apparent
[22:00] <smoser> achiang, launch an instance of lucid with that gist as userdata
[22:00] <smoser> (--user-data-file=that-file)
[22:00] <smoser> then copy your credentials there to a subdirectory named 'creds' of your hope directory
[22:00] <smoser> (ubuntu's home directory)
[22:06] <chz|bacon> hey guys i'm having a heck of a time getting grub2 to install on a software raid setup
[22:07] <chz|bacon> could one of you maybe point me in the right direction. i've been reading howtos, and i still can't seem to get grub2 to install.
[22:08] <chz|bacon> i have swap / and /boot partitions setup yet trying to install on /dev/sda1 (/boot) i get the same error
[22:09] <chz|bacon> i also have the same error if i attempt to install on /dev/md0
[22:10] <chz|bacon> anyone?
[22:34] <hallyn> Daviey: so you think we need to wait a bit to MIR netcf?
[22:35] <Daviey> hallyn: I heard the Debian Maintainer was a big unreliable, what do you think?
[22:35] <Daviey> s/big/bit
[22:35] <hallyn> i wouldn't trust him further than i can throw him
[22:36] <Daviey> heh
[22:36] <Daviey> hallyn: What needs to depend/recommend on it?
[22:36] <Daviey> I've not look at netcf, so bit of a n00b
[22:36] <hallyn> Daviey: libvirt
[22:37] <Daviey> hallyn: what do upstream libvirt think about netcf?
[22:37] <hallyn> they wrote it :)
[22:37] <Daviey> well.. seems to be a no-brainer then :P
[22:38] <hallyn> ok - i'll file it on monday and see what they say :)
[22:39] <hallyn> gnight
[22:44] <Daviey> nn hallyn
[22:48] <jdstrand> zul: horizon finally accepted with bug #899427
[22:53] <Daviey> thanks jdstrand
[22:58] <barcef> What else do I need to do? Installed squid on my machine in the US, setup my src ip range and disabled X-forward-for , but hulu still says that I'm out side of the US.
[22:58] <barcef> Any ideas?