/srv/irclogs.ubuntu.com/2011/12/12/#ubuntu-server.txt

qman__	use the built in partitioner	00:01
qman__	just choose 'manual' instead of 'guided'	00:01
wedgeV	ok, thanks	00:03
Canadian1296	Can someone help me disable the internet connection for good on Ubuntu 10.04?	00:16
Canadian1296	Anyone alive here?	00:18
mtphone	I have a pfsense vm. One nic is on the first bridged if which os able to talk to the outside. The other if is on the other bridge which is the if that i want everything grabbing dhcp from. I'm a bit stumped and only have my phone right now...	00:19
mtphone	Google stuff says it should be working the way i set it up......	00:19
qman__	Canadian1296, what exactly are you trying to do?	00:20
qman__	I mean, killing internet access is easy and doable in many ways	00:21
qman__	ifdown, route, ifconfig, you name it	00:21
mtphone	My route table even shows that internal ip addy should go to that bridged interface...	00:21
Canadian1296	qman_, im making a livecd and it's sole purpose is for gpg. The user will be root, and i already installed all the necessary packages for it. I need to diable the internet connection so the user cannot enable it	00:22
qman__	well, if you don't need any network access at all	00:22
qman__	just pull the NIC drivers out	00:23
Canadian1296	yeah, i want no internet at all. how do i do that? I asked at the ubuntu channel and they sent me here :P	00:23
qman__	compile your own kernel with networking disabled	00:24
qman__	that's the only way to do it such that it can't be reenabled without compiling more modules	00:24
Canadian1296	okay, is there a simpler way that simply disables it?	00:24
qman__	plenty, but they can all be defeated	00:25
qman__	no default route, no internet	00:25
mtphone	Remove the card entirely	00:25
qman__	kill off the networking upstart script	00:25
qman__	blacklist all the networking modules	00:25
Canadian1296	thats fine, as long as by default its disabled.	00:25
mtphone	rm /etc/network/interfaces	00:25
Canadian1296	What files or packages should i remove?	00:28
qman__	uninstall dhclient	00:29
qman__	delete /etc/network/interfaces, /sbin/ip, /sbin/route, and /sbin/ifconfig	00:30
Canadian1296	qman_: i removed all of them but i still have internet :\|	00:33
qman__	well yeah, your interfaces are still up from before	00:33
qman__	but without those tools you can't bring internet back up after taking it down	00:33
Canadian1296	okay, how do i take it down now?	00:33
qman__	probably also want to remove network manager, ifup, ifdown	00:33
twb	11:23 <qman__> just pull the NIC drivers out	00:34
twb	Pull the NIC out	00:34
qman__	without those tools, you can't bring it down either, short of rebooting	00:34
qman__	and yeah, if you have control of the hardware, the NIC itself is the easiest	00:34
twb	What I do is: 1) blacklist the modules in the kernel; 2) rm the .ko; 3) add an /etc/kernel-post.d that does (2) if the kernel is upgraded.	00:35
Canadian1296	qman_: okay, so when i boot from the livecd (the one i just did that too), i wont have internet. correct?	00:35
twb	Although lately I have just been shipping rerolled kernels	00:35
twb	Canadian1296: why do you want to revoke internet access?	00:35
Canadian1296	twb: livecd for gpg only. no need.	00:36
twb	That is not an answer.	00:37
twb	That's like saying "they only need black and white so how can I disable all the red pixels on their screen"\	00:37
Canadian1296	twb: haha yeah your right… But im doing it because I'm just messing around with making livecd iso's… More to learn how	00:38
qman__	if you have a task that needs to be secured from the internet, you need to secure the hardware	00:39
Canadian1296	I plan on eding up with a livecd that's loaded into ram. Truecrypt is installed on it, so a gpg keyring is loaded onto it from a removeable truecrypt drive. Then the user logs out and only logs in when he is at the computer. shutting it down will wipe the key out (everything is in ram). Theres a script that shuts down the computer as soon as someone types a bad username or password at the login prompt.	00:42
qman__	for this plan to retain any kind of security, the hardware absolutely must be secured	00:44
qman__	so just remove/disable it	00:44
Canadian1296	the idea is the system is running from ram, and the key's in ram. no harddrive or livecd in the machine. To do anything on it you have to log in, or reboot from a different livecd. Rebooting wipes out the key, and failing to log in wipes out the key. I dont see the security hole...	00:46
qman__	otherwise, what's to stop anyone from booting a different environment, or loading binaries off a flash drive, or copying sensitive data	00:46
qman__	by design it's not going to get the latest security updates either	00:47
Canadian1296	Can you load files onto it or boot without loggin in or shutting down the running ubuntu os?	00:48
qman__	yes	00:49
Canadian1296	how?	00:49
qman__	rogue flash drive is your main problem	00:49
Canadian1296	explain...	00:49
qman__	but unless you lock out your bootloader, add "single" to the kernel line, and done	00:49
qman__	without physical security your plan is moot, because people can bring in a flash drive with anything on it, and load files onto it	00:50
Canadian1296	But if the computer is running a live version from ram, and theres just a login prompt, how do you propose they mount the files?	00:50
qman__	google 'kon-boot'	00:51
qman__	that's just one of many ways to completely defeat your plan	00:51
Canadian1296	i know what konboot is, but it require you boot from it.	00:51
qman__	and without physical security, they can	00:52
Canadian1296	can you defeat the login prompt, with only one guess, and without shutting down the sstem?	00:53
qman__	the point is, they don't have to	00:53
qman__	without physical security they can boot or load whatever they want	00:53
qman__	and defeat the protections you have in place	00:53
Canadian1296	I understand anyone could shutdown the system and reboot from a livecd. Full access to the system. But theres nothing on the harddrive. The key was wiped out when the computer shut off.	00:54
zaltekk	full harddrive encryption, /boot on a usb key that's removed after boot	00:55
qman__	that'd work better	00:56
qman__	then they'd need an exploit that works without booting	00:56
zaltekk	well, they'd need a way to exploit the running system	00:56
qman__	but again, that's physical security	00:56
zaltekk	or a hardware keylogger(if the key is manually entered instead of being on the usb key)	00:56
qman__	the keys to boot it are locked up	00:56
zaltekk	right	00:56
zaltekk	i use it only for my laptop	00:56
zaltekk	in which case the usb key is on my car/house keys	00:57
zaltekk	so if the laptop was stolen	00:57
zaltekk	they'd not be able to get in	00:57
qman__	it doesn't matter how you protect your live environment if the attacker can boot it, because they can pregame with things like kon-boot	00:57
zaltekk	not that i have anything that secret :P	00:57
Canadian1296	zaltekk: when booting from the livecd, you can load the entire cd into the ram , then remove the cd. Then all the files are in ram. i was under the impression if the computer shuts down they are gone. (not necesserily unrecoverable, just gone)	00:57
twb	Go read Reflections on Trusting Trust	00:57
zaltekk	what's the point Canadian1296?	00:58
qman__	and even though there isn't one widely available as of right now, they'd only need a USB-based live exploit	00:58
twb	Canadian1296: police have gear that can remove computers without turning them off, so RAM is still accessible	00:58
qman__	and those have come up in the past, common on windows	00:59
zaltekk	i'm not sure what there is to protect when you have no persistent storage	00:59
zaltekk	twb: right. it's game over if they shutdown a well-encrypted system	00:59
Canadian1296	okay heres my new question. If the cd was loaded into ram, and i created a file (lets just say i typed touch test), then turned off the system. when i rebooted test would be gone. Am i correct?	00:59
qman__	yes, but you're accessing a flash drive	01:00
qman__	which does have persistent storage	01:00
zaltekk	qman__: usb-based stuf is bad on windows because of autoexecution and such	01:00
Canadian1296	the flashdrive will be encrypted with truecrypt. used to load the key into ram, then unmounted and removed.	01:00
zaltekk	you could have a worm automatically execute by being inserted that them copies itself ot all over removable media	01:01
qman__	you didn't say that from the beginning	01:01
qman__	if the flash drive and CD are not present when the users have access, then you have physical security	01:01
qman__	but you're still not protected against a rogue flash drive unless you physically lock up the USB ports	01:01
twb	Canadian1296: what attacks are you guarding against?	01:02
twb	Canadian1296: your sister, your boss, or the DSD?	01:02
Canadian1296	Im sorry, i didnt explain myself properly. One minute	01:02
twb	Because the DSD can always rubber-hose you.	01:02
twb	I suppose your sister can, if it comes to that...	01:02
zaltekk	DSD?	01:04
qman__	guessing it's an equivalent to the NSA	01:04
Canadian1296	Livecd in the computer, boot to ram, remove livecd. Livecd is now out of the picture (assume its locked in a safe somwhere). Now the usb is mounted with truecrypt, and the key added into the keyring. usb removed and is also out of the picture. logout of system. now you walk up, log in, use gpg, log out. repeat. if someone types a bad password trying to log in, the computer shuts down.	01:05
qman__	you still need to physically secure the USB ports	01:05
zaltekk	why qman__ ?	01:06
qman__	otherwise you're vulnerable to someone exploiting the system with a rogue flash drive, so users after them are exposed	01:06
zaltekk	do you mean to prevent the port from having a mitm?	01:06
Canadian1296	okay, assuming i am the only one who can log in, am i safe? and while we're on the topic of security, if i describe the setup on my mac can i get advice on how to improve it?	01:06
qman__	dropping a rootkit	01:06
qman__	no, you're not	01:06
qman__	while there aren't any publicly available for current versions, there are exploits that merely require plugging in the flash drive and having it be detected to install	01:07
zaltekk	qman__: assuming they have an exploit that attack the usb stack?	01:07
zaltekk	*attacks	01:07
Canadian1296	do they not have to manually mount the usb?	01:07
qman__	no, just needs to exploit the kernel and then they can do nasty things with the current session	01:07
zaltekk	Canadian1296: the system interacts with it	01:07
zaltekk	think of a specially crafted partition table	01:08
Canadian1296	okay, so ill rethink that one :)	01:08
qman__	to prevent this in software, you'd have to disable USB altoegether	01:08
zaltekk	which you could easily do after boot	01:08
zaltekk	since you don't seem to plan on ever using it again	01:08
twb	Yeah, DSD is .au Defense Signals Department, i.e. SIGINT, not NSA	01:08
yann2	usb fun http://astr0baby.wordpress.com/2011/01/30/teensy2-0-and-metasploit/ <3 :)	01:08
qman__	if you lock down USB, then you're reasonably secure	01:09
twb	qman__: with epoxy resin?	01:10
qman__	well, and remove the internal hard drive	01:10
qman__	if an exploit gets loaded on there, all subsequent live sessions could be compromised	01:10
Canadian1296	okay, so no internal hard drive. and how would i go about disabling usb after boot?	01:10
qman__	modified kernel, probably	01:11
zaltekk	rmmod and delete the modules	01:11
qman__	if you do that, then it would require significant espionage tactics to get anything	01:11
qman__	freezing and removing the RAM, or very expensive equipment to do stuff over the air	01:12
twb	Boot a kernel with USB disabled	01:12
twb	Also with kernel modules disabled	01:12
Canadian1296	So basically the only simple solution is no harddrives, and once its booted physically disable the usb ports, thus making the computer useless for future sessions :P	01:13
qman__	it would bring you to the level where joe random hacker with a flash drive can't do anything	01:13
qman__	and unless you're CIA or something, that's all you really have to worry about	01:14
zaltekk	qman__: any idea how the access to live ram works?	01:15
twb	qman__: well, apart from rubber hoses &c	01:15
qman__	I've only read about it	01:15
twb	zaltekk: how do you mean "live ram"?	01:15
qman__	but basically, get canned air, use improperly to freeze the RAM, hot swap it into a running system	01:15
qman__	and recover data	01:15
zaltekk	twb: as in using physical access to be able to get the contents of a stick of ram while the system is running	01:15
qman__	they did it at some convention, probably defcon	01:16
zaltekk	yann2: that adurino board looks pretty cool	01:17
Canadian1296	haha okay thanks for your help guys :) and Im getting to the point where lighting the computer on fire and spreading the ashes in the ocean seems like the most logical solution :P	01:17
twb	Canadian1296: shooting it into the sun would be safer	01:18
qman__	the point is, physical security is key	01:18
qman__	if you can't trust your hardware, you can't trust your software	01:18
Canadian1296	twb: i assumed so, but theres so much that could go wrong on the way there. Fire always seems to work	01:18
=== wedgeV__ is now known as wedgeV
Ibyss	tilTillman32: I highly against the idea of installing an IRCD using apt-get or ubuntu's package manager. You're better off compiling an IRCD in a NON-root user account using default compile settings.	02:10
twb	Ibyss: uh, why?	02:11
Ibyss	twb: Tends to be outdated.	02:12
twb	That's just another way of saying "stable"	02:12
twb	If you want to bleed on the edge, LFS and gentoo are <over there>	02:13
qman__	if you stick with the packaged version, the flaws are going to be either patched, or at least known so you can work around them	02:15
qman__	latest isn't always greatest	02:15
qman__	and it'll come from a fairly trustworthy, accountable source if something does go wrong	02:16
uvirtbot	New bug: #903008 in samba (main) "System crashes when do mount.cifs" [Undecided,New] https://launchpad.net/bugs/903008	02:16
Ibyss	Anyway. My point = Download from the distributor's website. Installing is easy. Inspircd in ubuntu's respo is like 1 major version outdated. (many inspircd's stable releases gone by many times already).	02:16
Ibyss	qman__: This is why you test.	02:16
qman__	can't test everything	02:16
Ibyss	Tillman32: Popular IRCDs being Inspircd, unreal, charybdis, You can see more on here: http://en.wikipedia.org/wiki/Comparison_of_Internet_Relay_Chat_daemons	02:18
twb	If this is for an internal office IRCd, I would just use ircd-irc2	02:19
Tillman32	I don't understand why this is being directed t'wards me.	02:19
Tillman32	I'm using Empathy, and it's perfectly fine for "hovering" IRC channels.	02:20
twb	Unless you KNOW you need something fancier	02:20
Ibyss	Tillman32: I thhought you wanted an IRCD.	02:20
twb	Tillman32: hovering?	02:20
kirkland	MTecknology: kirkland isn't working for canonical.com anymore ;-)	02:20
Tillman32	You got the wrong guy.	02:20
kirkland	MTecknology: I have a copy of that javascript though, I'll put up somewhere else	02:20
Tillman32	I didn't mention, this is my first 10 minutes ever spent in this IRC.	02:20
twb	What's the turnover rate at canonical anyway?	02:20
MTecknology	kirkland: oh- guess i been gone a long while	02:31
MTecknology	kirkland: what ya doing now?	02:31
kirkland	MTecknology: nah, next week is only my second week at the new gig	02:31
kirkland	MTecknology: I have blog post tomorrow, but the short/skinny is that I'm working for a new startup on data encryption for the cloud around eCryptfs (company is called Gazzang)	02:32
MTecknology	kirkland: neat	02:32
MTecknology	kirkland: I saw the cloud last month! It was about 10,000 ft below me	02:32
twb	kirkland: where are you now?	02:32
kirkland	MTecknology: the overly flattering press release is at http://www.marketwatch.com/story/dustin-kirkland-joins-gazzang-as-chief-architect-2011-12-08	02:33
twb	Oh, you said	02:33
twb	It sounds like linkedin for OGs :P	02:33
kirkland	twb: hi	02:33
twb	"wazzup homie, hit up this url when you is looking for dogs to roll wit"	02:33
kirkland	twb: I've been catching a pretty rough rap from you lately, as I read my backlogs; I'm getting thrashed for update-motd and byobu on a nightly basis, it seems	02:34
kirkland	:-)	02:34
kirkland	twb: yeah, it's all about search-engine-optimization for startups nowaday	02:34
twb	Well, at least byobu isn't given to people running "screen" now	02:34
twb	At at point I don't care about what byobu does	02:34
kirkland	twb: that was a mistake, in retrospect, admittedly	02:34
MTecknology	I'm trying to set up a decent network from scratch....	02:35
twb	if it makes any better I hate on SJR way more	02:35
kirkland	I'm done with screen, anyway; it's all about tmux	02:35
MTecknology	I'd like to have it all running really cheap on a single server too :)	02:35
twb	I would like tmux if it did some more screen things	02:35
MTecknology	Apparently putting a routing device on a VM is a bit of a pain	02:35
twb	Like, tmux you can either say "guess the title" or "let the title be fred". You can't have both	02:35
MTecknology	hm.. does anyone actually use byobu? (bring your own beer, you)	02:36
twb	It gets it out of /proc instead of letting me change it from "emacs" to the buffer name, or whatever	02:36
twb	MTecknology: kids	02:36
twb	MTecknology: people who don't already have a .screenrc	02:36
MTecknology	twb: my .screenrc is pretty minimal..	02:36
MTecknology	maybe i should try it more sometime	02:37
kirkland	MTecknology: hard for me to say objectively, but my inbox, irc logs, and google alerts are crammed with people raving abou it	02:37
kirkland	MTecknology: on the other hand...	02:37
twb	kirkland: good raving or bad raving? ;-)	02:37
kirkland	MTecknology: there's plenty of sophisticated screen users (erm, twb?) who effing hate it, and do so pretty vocally	02:38
kirkland	MTecknology: so the new approach has been to try and offend knowledgable users as little as possible	02:38
kirkland	MTecknology: while still helping those who appreciate a nudge in the right direction	02:38
twb	The goal of byobu AIUI is to improve feature discoverability. Which IMO is a good thing.	02:39
MTecknology	i never tried it enough to give it an honest shot... I kinda been sticking with what works since screen was a bitch to get used to and I don't wanna do that again	02:39
twb	Plenty of people I met are like "OMG, you can have >1 window in screen?!?!"	02:39
qman__	if only other projects would take that stance	02:39
MTecknology	but i guess... i did learn dvorak and it's helped me a huge deal	02:39
twb	Let alone people who are running minicom in it FFS	02:39
MTecknology	terminator -m -b -T irssi -x ssh user@domain.tld -t screen -aAdr -RR irssi irssi	02:40
MTecknology	:)	02:40
twb	http://cyber.com.au/~twb/.tmux.conf is my tmux rant	02:40
kirkland	twb: man, you give the lwn grumpy editor a run for his money	02:42
kirkland	:-)	02:42
twb	http://cyber.com.au/~twb/doc/grumbling.txt is the properly prepared one	02:43
twb	corbet tends to assume people had a good reason; I assume they're just idiots	02:43
MTecknology	kirkland: so you're a super brilliant guy, right? I should hire you... payment will come in the form of love	02:50
kirkland	MTecknology: as interesting as the prospect is, my wife will object, I'm afraid	02:51
MTecknology	I have a pfsense box that's running on a physical system. I want that system for something else. So.. I want to move the pfsense system into a VM on my VM host system. I guess that means i'll have two interfaces on the physical system that will need to be bridged.	02:53
lifeless	twb: thats special - '# So if you want to use parens inside #(), you have to escape... only the closing paren.	02:53
lifeless	'	02:53
twb	lifeless: yeah, tell me about it	02:53
twb	Silly openbsd people	02:53
MTecknology	I'm a bit lost at how to make my server use the pfsense system that's sitting on top of it, of course if the vm doesn't come up, no networking at all will work	02:54
zaltekk	twb: lifeless: i think that came along before tmux was included in openbsg	03:24
zaltekk	*openbsd	03:25
twb	MTecknology: why on earth are you trying to use a pfsense VM for your firewall	03:32
MTecknology	twb: I'm not so much worried about using it as a firewall, it's all the other services on it that i love	03:32
MTecknology	twb: I'd like to be able to just give eth0 to the vm and have everything else use eth1	03:33
twb	uhuh	03:33
MTecknology	twb: I know it's a bad idea... but I still wanna do it... I'm a bit short on systems laying around	03:34
twb	AFAICT it's just a router distro, so the only real advantage of using it instead of Ubuntu as your bastion is pf (assuming you prefer pf to netfilter)	03:34
MTecknology	it has a really pretty and retardedly simple web interface for people that don't want to think	03:35
MTecknology	twb: despite it being a bad idea...... any chance you could help me figure out how to route traffic through the vm?	03:36
qman__	it's just a convenient ready-made solution, we use untangle at work, same idea	03:36
qman__	however, I don't think running it in a VM is a good idea	03:37
qman__	just way too complex	03:37
twb	I grant you that "router appliance!!1!" is a separate issue from "bastion in a VM"	03:37
qman__	KISS works best	03:37
twb	Personally I think both are stupid but the latter is stupider	03:37
MTecknology	I'm also curious how to ever do something like this..	03:37
qman__	in my opinion, the router has the hardest job and the most demanding requirements, because it is your first line of defense, and if it goes down, everything goes down	03:38
qman__	I don't trust a VM setup to deal with that	03:38
twb	qman__: and I don't trust an appliance to do it either :-)	03:41
MTecknology	HAHAHA!!	03:41
MTecknology	So... apparently I managed to set up the vm so that it took over for my other router	03:41
qman__	I don't use it for my network, but untangle does have some cool features for the windows based clients we service	03:41
MTecknology	the only thing missing was that the thing couldn't get out to the internet	03:41
qman__	automatic inline antivirus and spyware and whatnot	03:41
twb	qman__: ah, well, you know what my fix for THAT will be	03:42
twb	Anyway it's probably just clamav and friends...	03:42
qman__	the antivirus is, don't know about the phishing and spyware, it's got spam and a list-based web filter too, just makes it really quick to set up	03:44
qman__	they've got pay-for modules like kaspersky too	03:44
qman__	but we just use the free stuff	03:44
qman__	I don't use it on my stuff because my stuff is set up right in the first place	03:45
qman__	but it's a good bandaid, catch-all tool for those situations	03:45
qman__	my job is, unfortunately, all about the bandaids and quick fixes	03:47
twb	My job is usually to go back and fix it after the bandaid has worn away after being in place for ten years	03:49
twb	And I say "you should do <right thing>" and they say "too bad we can only afford <bandaid>"	03:50
MTecknology	WORKING!!!	04:05
MTecknology	twb: I still realize that it's a terrible idea to rely on a VM for a firewall, I really only care about the dhcp, dns, ntp, nat, vpn, and static routes, i have a different device that functions as a firewall	04:11
qman__	that's all fairly trivial to set up in pretty much any distro	04:13
MTecknology	qman__: yup- the non-trivial part is making it work as a vm	04:14
MTecknology	qman__: that's what i'v been fighting with	04:14
qman__	don't see the point	04:14
qman__	run it on the host	04:14
MTecknology	I don't like making any server have more than one function, especially on a vm host	04:15
qman__	except for VPN, that all runs on my router	04:16
qman__	not sure what you're using for a firewall but if it's not capable of running that stuff, it's probably not a very good firewall either	04:17
MTecknology	it's not	04:18
MTecknology	it's also a home network	04:18
qman__	doesn't make it any better/worse an idea	04:19
qman__	a network's a network	04:20
MTecknology	feel free to donate some hardware...	04:21
qman__	I've thrown away machines that could do that job sufficiently	04:23
qman__	if you want to pay shipping I have some pentium IIs, a willy P4, and some other crap that would work too	04:25
twb	I thought willy made jeeps	04:25
zaltekk	my router runs all of that minus vpn	04:26
twb	I know a guy that still does everything with PIIIs because he's convinced they have epic MIPS/Watt	04:26
qman__	they are good chips, that's why the core 2 was based on them	04:26
qman__	but obviously the newer versions are better	04:27
twb	I'd like some ARM kit aimed at server people rather than stupidly painful end-user appliances	04:29
zaltekk	twb: ever looked into OpenWRT?	04:30
twb	like, "oh sorry to replace the bootloader you need to jump through 100 hoops" type bollocks	04:30
twb	zaltekk: sure, I run it	04:30
twb	I guess come to think of it I run it on arm these days	04:30
zaltekk	i have it on a MIPS	04:32
ipl31	Any one see kernel messages with randomly missing characters on 11.10 server kernel?	07:10
ipl31	and if so any idea what the cause might be	07:10
=== gustav is now known as beerbro
uvirtbot	New bug: #901638 in unixodbc (main) "tdsodbc failed to upgrade from Oneiric to Precise" [High,In progress] https://launchpad.net/bugs/901638	07:14
=== Guest82058 is now known as onre
=== smb` is now known as smb
koolhead11	hi all	09:30
zapotah	is libvirt interface management somehow broken?	11:26
zapotah	trying to conf a bridged interface for a xen hypervisor	11:27
zapotah	but it just shows with virt-manager when trying to configure interfaces that libvirt connection does not support interface management	11:28
=== Ibyss is now known as Ibyss\|Ubuntu
=== BigRedS_1 is now known as BigRedS
mjau^	morns!r	13:22
mjau^	-r	13:22
mjau^	redhat and suse have chkconfig, but ubuntu doesn't. would anyone happen to know how I can configure in which runlevels certain services should run?	13:24
rbasak	mjau^: update-rc.d for sysv compatibility, but with upstart look at individual service definitions in /etc/init/	13:29
mjau^	ah ok	13:30
ogra_	and read about upstart override files ;)	13:31
pmatulis	ogra_: since 11.10 right?	13:32
ogra_	iirc, yes	13:32
mjau^	oh, 10.04 doesn't run upstart?	13:32
ogra_	might have been 11.04, i'm not sure	13:32
ogra_	it does but an older version	13:32
mjau^	ok	13:32
pmatulis	ogra_,mjau^: i meant the override files began in 11.10	14:06
pmatulis	ogra_,mjau^: upstart appeared in 10.04	14:07
ogra_	pmatulis, upstart appreaed shortly after dapper ...	14:11
ogra_	but it always ran in sysvinit mode	14:12
pmatulis	ogra_: k, i mean upstart jobs	14:24
ogra_	right, for that lucid was the first	14:24
ogra_	though we used to use upstart jobs in ubuntu-mobile before	14:24
ogra_	in jaunty i think	14:24
ogra_	its not that the opportunity wasnt there ... just nobody else used it	14:25
robbiew	utlemming: ping	15:18
utlemming	robbiew: pong	15:18
robbiew	utlemming: hey...quick question	15:18
utlemming	sure	15:18
robbiew	any idea what's causing the failures here: https://jenkins.qa.ubuntu.com/view/Precise%20Daily%20ISOs/	15:19
robbiew	for precise-server-ec2	15:19
robbiew	is it a REAL failure....test case issue...or AWS?	15:19
utlemming	AWS -- jamespage needs an exception for the number of running instances that he's allow to have	15:20
robbiew	utlemming: that's what I thought :)	15:20
robbiew	utlemming: so how do we fix this?	15:21
robbiew	get his account increased?	15:21
robbiew	or change the test	15:22
utlemming	robbiew: its pretty easy, I'll chat with James	15:22
robbiew	utlemming: excellent, thanks!	15:22
smoser	utlemming, https://jenkins.qa.ubuntu.com/view/Precise%20Daily%20ISOs/job/precise-server-ec2/ARCH=i386,REGION=us-west-1,STORAGE=instance-store,TEST=cloud-config,label=ubuntu-server-ec2-testing/lastBuild/artifact/ is a valid failure.	15:25
smoser	i'm interested in knowing how you would "fix" that	15:25
utlemming	I was just looking at that	15:25
jamespage	utlemming, robbiew: that is now resolved BTW (was using my old account for that run)	15:25
utlemming	jamespage: how many is your current limit?	15:26
utlemming	and do you need more?	15:26
smb	smoser, jamespage What is that actually testing? Just curious as precise is reported to not boot at all on ec2...	15:27
uvirtbot	New bug: #902429 in glance (main) "glance 2012.1~e2~20111209.1132-0ubuntu1 fails to install" [Undecided,Fix released] https://launchpad.net/bugs/902429	15:27
smoser	smb, precise boots fine.	15:27
smoser	with the 'idle=halt' work around. that makes everything other than hvm instances boot fine.	15:27
smoser	hvm is doa, though.	15:27
smb	smoser, Oh doh!	15:27
smb	Confused HVM and PVM then	15:28
smoser	(bug 881076 and bug 901305)	15:28
uvirtbot	Launchpad bug 881076 in linux "precise kernels do not boot on ec2 without idle=halt" [High,Triaged] https://launchpad.net/bugs/881076	15:28
uvirtbot	Launchpad bug 901305 in linux "precise fails boot on ec2 hvm" [High,In progress] https://launchpad.net/bugs/901305	15:28
smoser	jamespage, that does bring up a question though...	15:28
smb	smoser, So yes, I am currently on the HVM issue.	15:28
smoser	we should probably at least in the "big run" test an hvm instance	15:29
jamespage	smoser: yes agreed	15:30
jamespage	that needs a change in the framework to support	15:30
smoser	oh?	15:30
smb	smoser, Btw, (just checked) a fix for bug 881076 was upstreamed for 3.2-rc5 and should be included in 3.2.0-4.10	15:34
uvirtbot	Launchpad bug 881076 in linux "precise kernels do not boot on ec2 without idle=halt" [High,Triaged] https://launchpad.net/bugs/881076	15:34
smoser	smb, woot. when is ETA for that to archive ?	15:34
Daviey	\o/	15:35
smb	smoser, rmadison says now	15:35
Daviey	smb: make sure you leave some content for the meeting! :)	15:35
smoser	$ cat /proc/version_signature	15:36
smoser	Ubuntu 3.2.0-4.10-virtual 3.2.0-rc5	15:36
smoser	rmadison seems to know its stuff.	15:36
caribou	Question : I know that ubuntu-vm-builder is being phased out, but would it be possible to have a look at a 3 line patch I have ?	15:40
smb	smoser, So, theoretically, that should boot without the idlealt	15:40
smb	*idle=halt	15:41
caribou	or is is just a waste time	15:41
=== nijaba_afk is now known as nijaba
smoser	utlemming, https://code.launchpad.net/~smoser/vmbuilder/automated-ec2-builds.revert-lp881076-workaround/+merge/85352	15:46
smoser	smoser, yes, verified.	15:46
stgraber	hallyn: looks like adding /dev and /run to our lxc fstab (outside the container) allows us to boot without any change to the container (as far as mounts are concerned)	15:48
utlemming	smoser: merged	15:49
smb	smoser, Great. I think we can set the status to actually fix released (at least for the linux package)	15:49
stgraber	hallyn: only issue is the utmp monitoring code that stops working. My guess is that it's initialized before the container's fstab is used and so doesn't monitor the right file, I'll see if I can easily re-order that bit in the upstream code	15:49
hallyn	stgraber: the reboot patch at this point is tiny. Perhaps we should ask #ubuntu-kernel to carry it.	15:50
smoser	smb, yeah.	15:50
smoser	smb, i'm fine with that...	15:51
* smb likes to remove one from the list...		15:51
stgraber	hallyn: what's the state of the upstream discussions? I seem to remember you mentioning multiple implementations of the patch, do we know what's the preferred one?	15:52
hallyn	http://lkml.org/lkml/2011/12/11/114	15:53
hallyn	stgraber: ^ that pretty much has Oleg's buy-in afaiui	15:53
stgraber	hallyn: looks quit simple indeed. Not sure if we should wait for more upstream feedback or just go with that one for now, then rebase on whatever ends up being in the kernel (if not exactly that one)	15:55
hallyn	me neither - my only concern is that we patch lxc to use that, then have to re-patch to use something different. But I'm really hopeful that the churn is done.	15:57
hallyn	Daviey: i can haz ipxe+etherboot dput? plz?	15:58
Daviey	hallyn: OTP, i will after this..	16:00
hallyn	Daviey: thx	16:01
uvirtbot	New bug: #903259 in mysql-5.1 (main) "package mysql-server-5.1 5.1.54-1ubuntu4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/903259	16:16
stgraber	hallyn: hey, just want to confirm, there isn't a magic mount flag to mount something at a specifc place in the mount stack? As in, I can't say I want my new devtmpfs to be mounted below the devpts mounts we already have?	16:24
stgraber	hallyn: checking if there isn't a way to just let mountall mount the devtmpfs itself without affecting us. The other option is to have the mountall job move our mountpoints aside and move them back to place once /dev is mounted	16:25
stgraber	(mounting a devtmpfs from LXC works but causes some error messages later in upstart that'll be tricky to workaround, so having the magic done in the container seems to be a better option)	16:26
=== Ursinha is now known as Ursinha-lunch
hallyn	nod: eh what?	16:45
hallyn	sorry	16:45
Daviey	lynxman: Hey, are you still working on a new upstream snapshot of ipxe?	16:50
lynxman	Daviey: yessir, it's actually a bug in upstream :)	16:51
lynxman	Daviey: will ping you back with more details	16:51
Daviey	lynxman: are you sure?	16:52
lynxman	Daviey: 100% positive, reproduced on source as well, the debian package tries to do a baserom make which is not included by default in the source but it's accepted as an option, that one breaks :)	16:52
Daviey	ahh	16:53
lynxman	Daviey: that's the solely reason why the makefile on the original source did work, because they didn't do that make, but it's an extra feature	16:53
Daviey	lynxman: have you done a bisect to find the bad commit?	16:53
lynxman	Daviey: it's a bit tricker than that, also my context switching today is rusty, being at Millbank and all :/	16:53
Daviey	heh	16:54
Daviey	lynxman: "make baserom" breaks it?	16:54
lynxman	Daviey: yes	16:55
Daviey	thanks	16:57
jamespage	RoAkSoAx, is there a nice was to pull the ubuntu release into a preseed/snippet template in cobbler?	17:08
hggdh	RoAkSoAx: good morning, Q on cobbler and Lucid and cloud-init	17:11
smoser	RoAkSoAx, 'os_version'	17:12
smoser	jamespage, and note, i found that by 'sudo cobbler system dumpvars --name <some-system-name>'	17:12
smoser	and looking at output	17:12
smoser	so you can use that in context of https://fedorahosted.org/cobbler/wiki/KickstartSnippets	17:12
jamespage	smoser: thanks - I knew it got set in import	17:14
RoAkSoAx	yeah ^^	17:21
RoAkSoAx	jamespage: though, os-version also gets automatically obtained	17:21
wmp	hello, i need help with mdadm. I have md8 in raid0, but i must change one disc from this volume. Is possible to move all data from sda(broken) to sdb? Sdb have enought space	17:22
zul	SpamapS: ping where are we in the openstack sru stuff?	17:23
jamespage	gah - stale iso/kernel	17:25
SpamapS	zul: TB meets tomorrow, pitti and I agreed that we might as well just wait for that.	17:27
zul	SpamapS: k	17:27
=== dendro-afk is now known as dendrobates
zaltekk	can i not do do-release-upgrade from an LTS release to a non-LTS release?	17:46
zaltekk	do i need to just modify sources.list and upgrade manually?	17:47
genii-around	zaltekk: If /etc/update-manager/release-upgrades contains Prompt=normal and not Prompt=lts or Prompt=never ... then you should be able to upgrade to the next-up distribution to what you currently have	17:49
zaltekk	genii-around: okay, thanks.	17:52
zaltekk	it's on lts, so i'll move it to normal.	17:53
genii-around	zaltekk: If you upgrade this way, you move from LTS to non-LTS. Also if you are for instance now on 10.04 , it will take you to 10.10. So then you have to upgrade sequentially through 10.10, 11.04, 11.10.	17:56
genii-around	( whereas LTS releases can go directly to next LTS )	17:56
zaltekk	hmm. i may be better off reinstalling 11.10, then.	17:56
uvirtbot	New bug: #901180 in vsftpd (main) "cannot apt-get remove vsftp after installing it" [Undecided,New] https://launchpad.net/bugs/901180	18:52
=== dendrobates is now known as dendro-afk
=== dendro-afk is now known as dendrobates
stgraber	hallyn: around?	19:31
stgraber	hallyn: so after messing with the boot scripts and LXC's config for a while, I guess the easiest way of "fixing" our /dev issues is by adding a tiny bit of logic in mountall	19:32
stgraber	hallyn: basically telling it never to mount a filesystem that would hide other mountpoints	19:32
stgraber	hallyn: this should be safe for most use cases (as you generally don't want that to happen anyway) and will make it skip /dev in containers	19:33
hallyn	jdstrand: does precise introduce a change in 'admin' user?	19:33
hallyn	stgraber: sounds sensible i guess	19:34
jdstrand	hallyn: for 'sudo'? Debian updated sudo to have an equivalent user, called 'sudo'. atm we honor both that and 'admin'	19:34
hallyn	stgraber: i think we just need to let that sink in a bit and think of potential problem cases	19:34
stgraber	hallyn: I'll spend a bit of time (until the TB meeting) trying to implement the change, if I don't succeed jodh said I can just file a bug and assign it to him :)	19:35
hallyn	jdstrand: i only noticed that my user wasn't getting group libvirtd by default, then noticed there was no admin group. On a VM created with vm-new	19:35
jdstrand	hallyn: I think there is a bug on that-- it is open for discussion on whether we are going to honor both or just 'admin'	19:35
jdstrand	hallyn: yep, that would do it	19:35
hallyn	jdstrand: ok, so i don't need to worry about it right now then?	19:35
hallyn	long as i don't have to change the libvirt postinst yet, i'm fine :) thanks	19:36
jdstrand	I don't think so, no	19:36
stgraber	hallyn: people with broken /etc/fstab will see a difference in behavior, I guess a warning should be shown (Skipping /dev as it contains mountpoints) in that case	19:36
jdstrand	hallyn: actually, I don't see a bug open atm-- it might just be mdeslaur, pitti, et al discussing it	19:37
=== don is now known as Guest65301
Guest65301	I am having trouble setting up wifi on my Dell Inspiron E1505. I installed bcmwl-kernel-source and it made ethernet stop working.	19:40
Tophat	can anyone give me a hand setting up basic postfix for use with a relay?	19:49
Duvrazh	Hey, can graphics card drivers be installed on server edition 10.04lts for gnu clients?	19:51
erichammond	Tophat: Try setting "relayhost" in /etc/postfix/main.cf	19:51
Tophat	thanks erichammond	19:52
Duvrazh	gpu, not gnu	19:52
Guest65301	Duvrazh Yeah i think so.	19:56
Tophat	yup, no idea how to even configure postfix and what things mean in the installer lol.	19:58
Duvrazh	Does anyone know if it's possible to install graphics card drivers via cli for ubuntu server 10.04 LTS for the purpose of GPU clients like Folding@Home?	19:59
Duvrazh	Does anyone know if it's possible to install graphics card drivers via cli for ubuntu server 10.04 LTS for the purpose of GPU clients like Folding@Home?	20:05
chz\|bacon	hey guys anyone here willing to lend me a hand with some mdadm questions?	20:15
=== tash-away is now known as tash
=== dendrobates is now known as dendro-afk
pmatulis	!ask \| chz\|bacon	20:38
ubottu	chz\|bacon: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience	20:38
chz\|bacon	sorry pmatulis in the midst of trying to figure it out still	20:41
chz\|bacon	apparently i can't mount my /dev/md0 device on reboot	20:42
chz\|bacon	i'm using the following command sudo mdadm --create --verbose /dev/md0 --level=1 -n2 /dev/sdb /dev/sdc	20:43
chz\|bacon	then i add the output of mdadm --detail --scan to /etc/mdadm/mdadm.conf	20:43
=== Ursinha-lunch is now known as Ursinha
pmatulis	chz\|bacon: you should be assembling the array if it exists, not creating it	20:44
chz\|bacon	right that's just my original line i used to create it	20:45
zastaph	there's gotta be something easier than ESXI and KVM	20:47
pmatulis	zastaph: what's wrong with KVM?	20:48
zastaph	a very long (and commandline) process to set it up :\| https://help.ubuntu.com/community/KVM	20:49
zastaph	I didn't try Xen yet	20:49
zastaph	neither OpenVZ	20:49
zastaph	but are they any easier?	20:49
pmatulis	zastaph: i don't see any long command lines on that page	20:49
zastaph	how about on https://help.ubuntu.com/community/KVM/CreateGuests under "More complex example"	20:50
zastaph	I did just sudo ubuntu-vm-builder kvm lucid but forgot the --libvirt, and have no clue how to access it now :)	20:50
zastaph	or how to delete it.. because it's all hidden deep down below under several man pages	20:51
RoyK	zastaph: virt-manager	20:51
zastaph	i want a GUI interface where I can see all my VM's visually :)	20:51
RoyK	zastaph: virt-manager	20:51
pmatulis	zastaph: just install the s/w (sudo apt-get install virt-host^), set up your public ssh key so you can log in with SSH, and launch virt-manager. then create a virtual machine	20:51
zastaph	RoyK, I don't use Linux from my controlling PC	20:51
RoyK	zastaph: windows?	20:51
zastaph	mmm differs a bit.. but sometimes Linux.. Just I would like the controlling interface to be platform independent	20:52
RoyK	zastaph: if using unix/linux/mac, X should work fine, if on windows, use xming and configure putty accordingly	20:52
RoyK	zastaph: and the interface will be the same on all client platforms	20:52
zastaph	I don't know, I have a bad feeling about KVM so far :) I want something as usable as VBox, just for servers	20:53
RoyK	zastaph: you just got a perfectly good advice that will work with kvm and xen, and you don't even test it?	20:53
zastaph	putty, xming.. setting up X forwarding.. ouch	20:54
zastaph	virt-manager, maybe	20:54
RoyK	zastaph: setting up x forwarding is not an ouch - it's a single tick box in putty. if that's too hard for you, hire a mickysoft consultant to setup hyper-v	20:55
zastaph	mmm if you say so	20:56
RoyK	if you find it hard and troublesome and annoying to setup x forwarding with putty and xming, then perhaps you should be working with other things than computing :þ	20:57
zastaph	no.. im just a lazy developer who would rather spend time finding the tool that requires the least maintenance/man pages	20:58
zaltekk	X forwarding won't work just by having putty	20:59
zaltekk	you need something to provide a local X server	20:59
RoyK	I can see that - next time, perhaps you should try to do some tests before whining about things not working	20:59
RoyK	zastaph: yes, that's where xming comes in	20:59
zaltekk	so i just moved from 10.04.3 to 11.10(reinstall), and now slim works, but after i login it errors out	21:00
zaltekk	tries to load fglrx(never installed catalyst)	21:00
zaltekk	I don't have an xorg.conf, so i'm not sure where it would even get the idea of loading fglrx	21:00
* RoyK has no idea what fglrx is		21:01
zaltekk	RoyK: it's the driver from ATI	21:02
zaltekk	xserver-xorg-video-ati/radeon is what's loaded	21:02
zaltekk	i don't understand why slim works but the wm doesn't.	21:02
* RoyK is off (zzz)		21:02
Tophat	anyone mind giving me a hand on this error from postfix "Cannot open mailbox /var/mail/nagios: Permission denied"	22:01
Tophat	how do i add permissions to nagios to use mail?	22:01
=== dendro-afk is now known as dendrobates
=== dendrobates is now known as dendro-afk
=== dendro-afk is now known as dendrobates
hallyn	Tophat: what does 'ls -l /var/mail/nagios' and 'ls -ld /var/mail' show?	22:57
=== bitmonk_ is now known as bitmonk
=== dendrobates is now known as dendro-afk
ahs3	hallyn: i uploaded the netcf update; no confirmation back yet but i'll keep an eye on it. thx for the fixes.	23:33
hallyn	ahs3: \o/ thanks	23:37
Rar9	hi can anyone help with installing solr 3.5 on tomcat7	23:37
ahs3	hallyn: np	23:37
Rar9	tomcat7 is running	23:37
=== maxb_ is now known as maxb
=== skrewler_ is now known as skrewler
SpamapS	Rar9: doesn't SOLR include its own jetty webserver?	23:58
Rar9	that´s a good question...	23:58
Rar9	thought that there is a jetty version and/or Tomcat one	23:59
SpamapS	Rar9: that would make sense	23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!