[00:01] <qman__> use the built in partitioner
[00:01] <qman__> just choose 'manual' instead of 'guided'
[00:03] <wedgeV> ok, thanks
[00:16] <Canadian1296> Can someone help me disable the internet connection for good on Ubuntu 10.04?
[00:18] <Canadian1296> Anyone alive here?
[00:19] <mtphone> I have a pfsense vm. One nic is on the first bridged if which os able to talk to the outside. The other if is on the other bridge which is the if that i want everything grabbing dhcp from. I'm a bit stumped and only have my phone right now...
[00:19] <mtphone> Google stuff says it should be working the way i set it up......
[00:20] <qman__> Canadian1296, what exactly are you trying to do?
[00:21] <qman__> I mean, killing internet access is easy and doable in many ways
[00:21] <qman__> ifdown, route, ifconfig, you name it
[00:21] <mtphone> My route table even shows that internal ip addy should go to that bridged interface...
[00:22] <Canadian1296> qman_, im making a livecd and it's sole purpose is for gpg. The user will be root, and i already installed all the necessary packages for it. I need to diable the internet connection so the user cannot enable it
[00:22] <qman__> well, if you don't need any network access at all
[00:23] <qman__> just pull the NIC drivers out
[00:23] <Canadian1296> yeah, i want no internet at all. how do i do that? I asked at the ubuntu channel and they sent me here :P
[00:24] <qman__> compile your own kernel with networking disabled
[00:24] <qman__> that's the only way to do it such that it can't be reenabled without compiling more modules
[00:24] <Canadian1296> okay, is there a simpler way that simply disables it?
[00:25] <qman__> plenty, but they can all be defeated
[00:25] <qman__> no default route, no internet
[00:25] <mtphone> Remove the card entirely
[00:25] <qman__> kill off the networking upstart script
[00:25] <qman__> blacklist all the networking modules
[00:25] <Canadian1296> thats fine, as long as by default its disabled.
[00:25] <mtphone> rm /etc/network/interfaces
[00:28] <Canadian1296> What files or packages should i remove?
[00:29] <qman__> uninstall dhclient
[00:30] <qman__> delete /etc/network/interfaces, /sbin/ip, /sbin/route, and /sbin/ifconfig
[00:33] <Canadian1296> qman_: i removed all of them but i still have internet  :|
[00:33] <qman__> well yeah, your interfaces are still up from before
[00:33] <qman__> but without those tools you can't bring internet back up after taking it down
[00:33] <Canadian1296> okay, how do i take it down now?
[00:33] <qman__> probably also want to remove network manager, ifup, ifdown
[00:34] <twb> 11:23 <qman__> just pull the NIC drivers out
[00:34] <twb> Pull the *NIC* out
[00:34] <qman__> without those tools, you can't bring it down either, short of rebooting
[00:34] <qman__> and yeah, if you have control of the hardware, the NIC itself is the easiest
[00:35] <twb> What I do is: 1) blacklist the modules in the kernel; 2) rm the .ko; 3) add an /etc/kernel-post.d that does (2) if the kernel is upgraded.
[00:35] <Canadian1296> qman_: okay, so when i boot from the livecd (the one i just did that too), i wont have internet. correct?
[00:35] <twb> Although lately I have just been shipping rerolled kernels
[00:35] <twb> Canadian1296: why do you want to revoke internet access?
[00:36] <Canadian1296> twb: livecd for gpg only. no need.
[00:37] <twb> That is not an answer.
[00:37] <twb> That's like saying "they only need black and white so how can I disable all the red pixels on their screen"\
[00:38] <Canadian1296> twb: haha yeah your right… But im doing it because I'm just messing around with making livecd iso's… More to learn how
[00:39] <qman__> if you have a task that needs to be secured from the internet, you need to secure the hardware
[00:42] <Canadian1296> I plan on eding up with a livecd that's loaded into ram. Truecrypt is installed on it, so a gpg keyring is loaded onto it from a removeable truecrypt drive. Then the user logs out and only logs in when he is at the computer. shutting it down will wipe the key out (everything is in ram). Theres a script that shuts down the computer as soon as someone types a bad username or password at the login prompt.
[00:44] <qman__> for this plan to retain any kind of security, the hardware absolutely must be secured
[00:44] <qman__> so just remove/disable it
[00:46] <Canadian1296> the idea is the system is running from ram, and the key's in ram. no harddrive or livecd in the machine. To do anything on it you have to log in, or reboot from a different livecd. Rebooting wipes out the key, and failing to log in wipes out the key. I dont see the security hole...
[00:46] <qman__> otherwise, what's to stop anyone from booting a different environment, or loading binaries off a flash drive, or copying sensitive data
[00:47] <qman__> by design it's not going to get the latest security updates either
[00:48] <Canadian1296> Can you load files onto it or boot without loggin in or shutting down the running ubuntu os?
[00:49] <qman__> yes
[00:49] <Canadian1296> how?
[00:49] <qman__> rogue flash drive is your main problem
[00:49] <Canadian1296> explain...
[00:49] <qman__> but unless you lock out your bootloader, add "single" to the kernel line, and done
[00:50] <qman__> without physical security your plan is moot, because people can bring in a flash drive with anything on it, and load files onto it
[00:50] <Canadian1296> But if the computer is running a live version from ram, and theres just a login prompt, how do you propose they mount the files?
[00:51] <qman__> google 'kon-boot'
[00:51] <qman__> that's just one of many ways to completely defeat your plan
[00:51] <Canadian1296> i know what konboot is, but it require you boot from it.
[00:52] <qman__> and without physical security, they can
[00:53] <Canadian1296> can you defeat the login prompt, with only one guess, and without shutting down the sstem?
[00:53] <qman__> the point is, they don't have to
[00:53] <qman__> without physical security they can boot or load whatever they want
[00:53] <qman__> and defeat the protections you have in place
[00:54] <Canadian1296> I understand anyone could shutdown the system and reboot from a livecd. Full access to the system. But theres nothing on the harddrive. The key was wiped out when the computer shut off.
[00:55] <zaltekk> full harddrive encryption, /boot on a usb key that's removed after boot
[00:56] <qman__> that'd work better
[00:56] <qman__> then they'd need an exploit that works without booting
[00:56] <zaltekk> well, they'd need a way to exploit the running system
[00:56] <qman__> but again, that's physical security
[00:56] <zaltekk> or a hardware keylogger(if the key is manually entered instead of being on the usb key)
[00:56] <qman__> the keys to boot it are locked up
[00:56] <zaltekk> right
[00:56] <zaltekk> i use it only for my laptop
[00:57] <zaltekk> in which case the usb key is on my car/house keys
[00:57] <zaltekk> so if the laptop was stolen
[00:57] <zaltekk> they'd not be able to get in
[00:57] <qman__> it doesn't matter how you protect your live environment if the attacker can boot it, because they can pregame with things like kon-boot
[00:57] <zaltekk> not that i have anything that secret :P
[00:57] <Canadian1296> zaltekk: when booting from the livecd, you can load the entire cd into the ram , then remove the cd. Then all the files are in ram. i was under the impression if the computer shuts down they are gone. (not necesserily unrecoverable, just gone)
[00:57] <twb> Go read Reflections on Trusting Trust
[00:58] <zaltekk> what's the point Canadian1296?
[00:58] <qman__> and even though there isn't one widely available as of right now, they'd only need a USB-based live exploit
[00:58] <twb> Canadian1296: police have gear that can remove computers without turning them off, so RAM is still accessible
[00:59] <qman__> and those have come up in the past, common on windows
[00:59] <zaltekk> i'm not sure what there is to protect when you have no persistent storage
[00:59] <zaltekk> twb: right. it's game over if they shutdown a well-encrypted system
[00:59] <Canadian1296> okay heres my new question. If the cd was loaded into ram, and i created a file (lets just say i typed touch test), then turned off the system. when i rebooted test would be gone. Am i correct?
[01:00] <qman__> yes, but you're accessing a flash drive
[01:00] <qman__> which does have persistent storage
[01:00] <zaltekk> qman__: usb-based stuf is bad on windows because of autoexecution and such
[01:00] <Canadian1296> the flashdrive will be encrypted with truecrypt. used to load the key into ram, then unmounted and removed.
[01:01] <zaltekk> you could have a worm automatically execute by being inserted that them copies itself ot all over removable media
[01:01] <qman__> you didn't say that from the beginning
[01:01] <qman__> if the flash drive and CD are not present when the users have access, then you have physical security
[01:01] <qman__> but you're still not protected against a rogue flash drive unless you physically lock up the USB ports
[01:02] <twb> Canadian1296: what attacks are you guarding against?
[01:02] <twb> Canadian1296: your sister, your boss, or the DSD?
[01:02] <Canadian1296> Im sorry, i didnt explain myself properly. One minute
[01:02] <twb> Because the DSD can always rubber-hose you.
[01:02] <twb> I suppose your sister can, if it comes to that...
[01:04] <zaltekk> DSD?
[01:04] <qman__> guessing it's an equivalent to the NSA
[01:05] <Canadian1296> Livecd in the computer, boot to ram, remove livecd. Livecd is now out of the picture (assume its locked in a safe somwhere). Now the usb is mounted with truecrypt, and the key added into the keyring. usb removed and is also out of the picture. logout of system. now you walk up, log in, use gpg, log out. repeat. if someone types a bad password trying to log in, the computer shuts down.
[01:05] <qman__> you still need to physically secure the USB ports
[01:06] <zaltekk> why qman__ ?
[01:06] <qman__> otherwise you're vulnerable to someone exploiting the system with a rogue flash drive, so users after them are exposed
[01:06] <zaltekk> do you mean to prevent the port from having a mitm?
[01:06] <Canadian1296> okay, assuming i am the only one who can log in, am i safe? and while we're on the topic of security, if i describe the setup on my mac can i get advice on how to improve it?
[01:06] <qman__> dropping a rootkit
[01:06] <qman__> no, you're not
[01:07] <qman__> while there aren't any publicly available for current versions, there are exploits that merely require plugging in the flash drive and having it be detected to install
[01:07] <zaltekk> qman__: assuming they have an exploit that attack the usb stack?
[01:07] <zaltekk> *attacks
[01:07] <Canadian1296> do they not have to manually mount the usb?
[01:07] <qman__> no, just needs to exploit the kernel and then they can do nasty things with the current session
[01:07] <zaltekk> Canadian1296: the system interacts with it
[01:08] <zaltekk> think of a specially crafted partition table
[01:08] <Canadian1296> okay, so ill rethink that one :)
[01:08] <qman__> to prevent this in software, you'd have to disable USB altoegether
[01:08] <zaltekk> which you could easily do after boot
[01:08] <zaltekk> since you don't seem to plan on ever using it again
[01:08] <twb> Yeah, DSD is .au Defense Signals Department, i.e. SIGINT, not NSA
[01:08] <yann2> usb fun http://astr0baby.wordpress.com/2011/01/30/teensy2-0-and-metasploit/  <3 :)
[01:09] <qman__> if you lock down USB, then you're reasonably secure
[01:10] <twb> qman__: with epoxy resin?
[01:10] <qman__> well, and remove the internal hard drive
[01:10] <qman__> if an exploit gets loaded on there, all subsequent live sessions could be compromised
[01:10] <Canadian1296> okay, so no internal hard drive. and how would i go about disabling usb after boot?
[01:11] <qman__> modified kernel, probably
[01:11] <zaltekk> rmmod and delete the modules
[01:11] <qman__> if you do that, then it would require significant espionage tactics to get anything
[01:12] <qman__> freezing and removing the RAM, or very expensive equipment to do stuff over the air
[01:12] <twb> Boot a kernel with USB disabled
[01:12] <twb> Also with kernel modules disabled
[01:13] <Canadian1296> So basically the only simple solution is no harddrives, and once its booted physically disable the usb ports, thus making the computer useless for future sessions :P
[01:13] <qman__> it would bring you to the level where joe random hacker with a flash drive can't do anything
[01:14] <qman__> and unless you're CIA or something, that's all you really have to worry about
[01:15] <zaltekk> qman__: any idea how the access to live ram works?
[01:15] <twb> qman__: well, apart from rubber hoses &c
[01:15] <qman__> I've only read about it
[01:15] <twb> zaltekk: how do you mean "live ram"?
[01:15] <qman__> but basically, get canned air, use improperly to freeze the RAM, hot swap it into a running system
[01:15] <qman__> and recover data
[01:15] <zaltekk> twb: as in using physical access to be able to get the contents of a stick of ram while the system is running
[01:16] <qman__> they did it at some convention, probably defcon
[01:17] <zaltekk> yann2: that adurino board looks pretty cool
[01:17] <Canadian1296> haha okay thanks for your help guys :) and Im getting to the point where lighting the computer on fire and spreading the ashes in the ocean seems like the most logical solution :P
[01:18] <twb> Canadian1296: shooting it into the sun would be safer
[01:18] <qman__> the point is, physical security is key
[01:18] <qman__> if you can't trust your hardware, you can't trust your software
[01:18] <Canadian1296> twb: i assumed so, but theres so much that could go wrong on the way there. Fire always seems to work
[02:10] <Ibyss> tilTillman32: I highly against the idea of installing an IRCD using apt-get or ubuntu's package manager. You're better off compiling an IRCD in a NON-root user account using default compile settings.
[02:11] <twb> Ibyss: uh, why?
[02:12] <Ibyss> twb: Tends to be outdated.
[02:12] <twb> That's just another way of saying "stable"
[02:13] <twb> If you want to bleed on the edge, LFS and gentoo are <over there>
[02:15] <qman__> if you stick with the packaged version, the flaws are going to be either patched, or at least known so you can work around them
[02:15] <qman__> latest isn't always greatest
[02:16] <qman__> and it'll come from a fairly trustworthy, accountable source if something does go wrong
[02:16] <Ibyss> Anyway. My point = Download from the distributor's website. Installing is easy.     Inspircd in ubuntu's respo is like 1 major version outdated. (many inspircd's stable releases gone by many times already).
[02:16] <Ibyss> qman__: This is why you test.
[02:16] <qman__> can't test everything
[02:18] <Ibyss> Tillman32: Popular IRCDs being Inspircd, unreal, charybdis, You can see more on here: http://en.wikipedia.org/wiki/Comparison_of_Internet_Relay_Chat_daemons
[02:19] <twb> If this is for an internal office IRCd, I would just use ircd-irc2
[02:19] <Tillman32> I don't understand why this is being directed t'wards me.
[02:20] <Tillman32> I'm using Empathy, and it's perfectly fine for "hovering" IRC channels.
[02:20] <twb> Unless you KNOW you need something fancier
[02:20] <Ibyss> Tillman32: I thhought you wanted an IRCD.
[02:20] <twb> Tillman32: hovering?
[02:20] <kirkland> MTecknology: kirkland isn't working for canonical.com anymore ;-)
[02:20] <Tillman32> You got the wrong guy.
[02:20] <kirkland> MTecknology: I have a copy of that javascript though, I'll put up somewhere else
[02:20] <Tillman32> I didn't mention, this is my first 10 minutes ever spent in this IRC.
[02:20] <twb> What's the turnover rate at canonical anyway?
[02:31] <MTecknology> kirkland: oh- guess i been gone a long while
[02:31] <MTecknology> kirkland: what ya doing now?
[02:31] <kirkland> MTecknology: nah, next week is only my second week at the new gig
[02:32] <kirkland> MTecknology: I have blog post tomorrow, but the short/skinny is that I'm working for a new startup on data encryption for the cloud around eCryptfs (company is called Gazzang)
[02:32] <MTecknology> kirkland: neat
[02:32] <MTecknology> kirkland: I saw the cloud last month! It was about 10,000 ft below me
[02:32] <twb> kirkland: where are you now?
[02:33] <kirkland> MTecknology: the overly flattering press release is at http://www.marketwatch.com/story/dustin-kirkland-joins-gazzang-as-chief-architect-2011-12-08
[02:33] <twb> Oh, you said
[02:33] <twb> It sounds like linkedin for OGs :P
[02:33] <kirkland> twb: hi
[02:33] <twb> "wazzup homie, hit up this url when you is looking for dogs to roll wit"
[02:34] <kirkland> twb: I've been catching a pretty rough rap from you lately, as I read my backlogs;  I'm getting thrashed for update-motd and byobu on a nightly basis, it seems
[02:34] <kirkland> :-)
[02:34] <kirkland> twb: yeah, it's all about search-engine-optimization for startups nowaday
[02:34] <twb> Well, at least byobu isn't given to people running "screen" now
[02:34] <twb> At at point I don't care about what byobu does
[02:34] <kirkland> twb: that was a mistake, in retrospect, admittedly
[02:35] <MTecknology> I'm trying to set up a decent network from scratch....
[02:35] <twb> if it makes any better I hate on SJR way more
[02:35] <kirkland> I'm done with screen, anyway;  it's all about tmux
[02:35] <MTecknology> I'd like to have it all running really cheap on a single server too :)
[02:35] <twb> I would like tmux if it did some more screen things
[02:35] <MTecknology> Apparently putting a routing device on a VM is a bit of a pain
[02:35] <twb> Like, tmux you can either say "guess the title" or "let the title be fred".  You can't have both
[02:36] <MTecknology> hm.. does anyone actually use byobu? (bring your own beer, you)
[02:36] <twb> It gets it out of /proc instead of letting me change it from "emacs" to the buffer name, or whatever
[02:36] <twb> MTecknology: kids
[02:36] <twb> MTecknology: people who don't already have a .screenrc
[02:36] <MTecknology> twb: my .screenrc is pretty minimal..
[02:37] <MTecknology> maybe i should try it more sometime
[02:37] <kirkland> MTecknology: hard for me to say objectively, but my inbox, irc logs, and google alerts are crammed with people raving abou it
[02:37] <kirkland> MTecknology: on the other hand...
[02:37] <twb> kirkland: good raving or bad raving? ;-)
[02:38] <kirkland> MTecknology: there's plenty of sophisticated screen users (erm, twb?) who effing hate it, and do so pretty vocally
[02:38] <kirkland> MTecknology: so the new approach has been to try and offend knowledgable users as little as possible
[02:38] <kirkland> MTecknology: while still helping those who appreciate a nudge in the right direction
[02:39] <twb> The goal of byobu AIUI is to improve feature discoverability.  Which IMO is a good thing.
[02:39] <MTecknology> i never tried it enough to give it an honest shot... I kinda been sticking with what works since screen was a bitch to get used to and I don't wanna do that again
[02:39] <twb> Plenty of people I met are like "OMG, you can have >1 window in screen?!?!"
[02:39] <qman__> if only other projects would take that stance
[02:39] <MTecknology> but i guess... i did learn dvorak and it's helped me a huge deal
[02:39] <twb> Let alone people who are running minicom in it FFS
[02:40] <MTecknology> terminator -m -b -T irssi -x ssh user@domain.tld -t screen -aAdr -RR irssi irssi
[02:40] <MTecknology> :)
[02:40] <twb> http://cyber.com.au/~twb/.tmux.conf is my tmux rant
[02:42] <kirkland> twb: man, you give the lwn grumpy editor a run for his money
[02:42] <kirkland> :-)
[02:43] <twb> http://cyber.com.au/~twb/doc/grumbling.txt is the properly prepared one
[02:43] <twb> corbet tends to assume people had a good reason; I assume they're just idiots
[02:50] <MTecknology> kirkland: so you're a super brilliant guy, right? I should hire you... payment will come in the form of love
[02:51] <kirkland> MTecknology: as interesting as the prospect is, my wife will object, I'm afraid
[02:53] <MTecknology> I have a pfsense box that's running on a physical system. I want that system for something else. So.. I want to move the pfsense system into a VM on my VM host system. I guess that means i'll have two interfaces on the physical system that will need to be bridged.
[02:53] <lifeless> twb: thats special - '# So if you want to use parens inside #(), you have to escape... only the closing paren.
[02:53] <lifeless> '
[02:53] <twb> lifeless: yeah, tell me about it
[02:53] <twb> Silly openbsd people
[02:54] <MTecknology> I'm a bit lost at how to make my server use the pfsense system that's sitting on top of it, of course if the vm doesn't come up, no networking at all will work
[03:24] <zaltekk> twb: lifeless: i think that came along before tmux was included in openbsg
[03:25] <zaltekk> *openbsd
[03:32] <twb> MTecknology: why on earth are you trying to use a pfsense VM for your firewall
[03:32] <MTecknology> twb: I'm not so much worried about using it as a firewall, it's all the other services on it that i love
[03:33] <MTecknology> twb: I'd like to be able to just give eth0 to the vm and have everything else use eth1
[03:33] <twb> uhuh
[03:34] <MTecknology> twb: I know it's a bad idea... but I still wanna do it... I'm a bit short on systems laying around
[03:34] <twb> AFAICT it's just a router distro, so the only real advantage of using it instead of Ubuntu as your bastion is pf (assuming you prefer pf to netfilter)
[03:35] <MTecknology> it has a really pretty and retardedly simple web interface for people that don't want to think
[03:36] <MTecknology> twb: despite it being a bad idea...... any chance you could help me figure out how to route traffic through the vm?
[03:36] <qman__> it's just a convenient ready-made solution, we use untangle at work, same idea
[03:37] <qman__> however, I don't think running it in a VM is a good idea
[03:37] <qman__> just way too complex
[03:37] <twb> I grant you that "router appliance!!1!" is a separate issue from "bastion in a VM"
[03:37] <qman__> KISS works best
[03:37] <twb> Personally I think both are stupid but the latter is stupider
[03:37] <MTecknology> I'm also curious how to ever do something like this..
[03:38] <qman__> in my opinion, the router has the hardest job and the most demanding requirements, because it is your first line of defense, and if it goes down, everything goes down
[03:38] <qman__> I don't trust a VM setup to deal with that
[03:41] <twb> qman__: and I don't trust an appliance to do it either :-)
[03:41] <MTecknology> HAHAHA!!
[03:41] <MTecknology> So... apparently I managed to set up the vm so that it took over for my other router
[03:41] <qman__> I don't use it for my network, but untangle does have some cool features for the windows based clients we service
[03:41] <MTecknology> the only thing missing was that the thing couldn't get out to the internet
[03:41] <qman__> automatic inline antivirus and spyware and whatnot
[03:42] <twb> qman__: ah, well, you know what my fix for THAT will be
[03:42] <twb> Anyway it's probably just clamav and friends...
[03:44] <qman__> the antivirus is, don't know about the phishing and spyware, it's got spam and a list-based web filter too, just makes it really quick to set up
[03:44] <qman__> they've got pay-for modules like kaspersky too
[03:44] <qman__> but we just use the free stuff
[03:45] <qman__> I don't use it on my stuff because my stuff is set up right in the first place
[03:45] <qman__> but it's a good bandaid, catch-all tool for those situations
[03:47] <qman__> my job is, unfortunately, all about the bandaids and quick fixes
[03:49] <twb> My job is usually to go back and fix it after the bandaid has worn away after being in place for ten years
[03:50] <twb> And I say "you should do <right thing>" and they say "too bad we can only afford <bandaid>"
[04:05] <MTecknology> WORKING!!!
[04:11] <MTecknology> twb: I still realize that it's a terrible idea to rely on a VM for a firewall, I really only care about the dhcp, dns, ntp, nat, vpn, and static routes, i have a different device that functions as a firewall
[04:13] <qman__> that's all fairly trivial to set up in pretty much any distro
[04:14] <MTecknology> qman__: yup- the non-trivial part is making it work as a vm
[04:14] <MTecknology> qman__: that's what i'v been fighting with
[04:14] <qman__> don't see the point
[04:14] <qman__> run it on the host
[04:15] <MTecknology> I don't like making any server have more than one function, especially on a vm host
[04:16] <qman__> except for VPN, that all runs on my router
[04:17] <qman__> not sure what you're using for a firewall but if it's not capable of running that stuff, it's probably not a very good firewall either
[04:18] <MTecknology> it's not
[04:18] <MTecknology> it's also a home network
[04:19] <qman__> doesn't make it any better/worse an idea
[04:20] <qman__> a network's a network
[04:21] <MTecknology> feel free to donate some hardware...
[04:23] <qman__> I've thrown away machines that could do that job sufficiently
[04:25] <qman__> if you want to pay shipping I have some pentium IIs, a willy P4, and some other crap that would work too
[04:25] <twb> I thought willy made jeeps
[04:26] <zaltekk> my router runs all of that minus vpn
[04:26] <twb> I know a guy that still does everything with PIIIs because he's convinced they have epic MIPS/Watt
[04:26] <qman__> they are good chips, that's why the core 2 was based on them
[04:27] <qman__> but obviously the newer versions are better
[04:29] <twb> I'd like some ARM kit aimed at server people rather than stupidly painful end-user appliances
[04:30] <zaltekk> twb: ever looked into OpenWRT?
[04:30] <twb> like, "oh sorry to replace the bootloader you need to jump through 100 hoops" type bollocks
[04:30] <twb> zaltekk: sure, I run it
[04:30] <twb> I guess come to think of it I run it on arm these days
[04:32] <zaltekk> i have it on a MIPS
[07:10] <ipl31> Any one see kernel messages with randomly missing characters on 11.10 server kernel?
[07:10] <ipl31> and if so any idea what the cause might be
[09:30] <koolhead11> hi all
[11:26] <zapotah> is libvirt interface management somehow broken?
[11:27] <zapotah> trying to conf a bridged interface for a xen hypervisor
[11:28] <zapotah> but it just shows with virt-manager when trying to configure interfaces that libvirt connection does not support interface management
[13:22] <mjau^> morns!r
[13:22] <mjau^> -r
[13:24] <mjau^> redhat and suse have chkconfig, but ubuntu doesn't. would anyone happen to know how I can configure in which runlevels certain services should run?
[13:29] <rbasak> mjau^: update-rc.d for sysv compatibility, but with upstart look at individual service definitions in /etc/init/
[13:30] <mjau^> ah ok
[13:31] <ogra_> and read about upstart override files ;)
[13:32] <pmatulis> ogra_: since 11.10 right?
[13:32] <ogra_> iirc, yes
[13:32] <mjau^> oh, 10.04 doesn't run upstart?
[13:32] <ogra_> might have been 11.04, i'm not sure
[13:32] <ogra_> it does but an older version
[13:32] <mjau^> ok
[14:06] <pmatulis> ogra_,mjau^: i meant the override files began in 11.10
[14:07] <pmatulis> ogra_,mjau^: upstart appeared in 10.04
[14:11] <ogra_> pmatulis, upstart appreaed shortly after dapper ...
[14:12] <ogra_> but it always ran in sysvinit mode
[14:24] <pmatulis> ogra_: k, i mean upstart jobs
[14:24] <ogra_> right, for that lucid was the first
[14:24] <ogra_> though we used to use upstart jobs in ubuntu-mobile before
[14:24] <ogra_> in jaunty i think
[14:25] <ogra_> its not that the opportunity wasnt there ... just nobody else used it
[15:18] <robbiew> utlemming:  ping
[15:18] <utlemming> robbiew: pong
[15:18] <robbiew> utlemming: hey...quick question
[15:18] <utlemming> sure
[15:19] <robbiew> any idea what's causing the failures here: https://jenkins.qa.ubuntu.com/view/Precise%20Daily%20ISOs/
[15:19] <robbiew> for precise-server-ec2
[15:19] <robbiew> is it a REAL failure....test case issue...or AWS?
[15:20] <utlemming> AWS -- jamespage needs an exception for the number of running instances that he's allow to have
[15:20] <robbiew> utlemming: that's what I thought :)
[15:21] <robbiew> utlemming: so how do we fix this?
[15:21] <robbiew> get his account increased?
[15:22] <robbiew> or change the test
[15:22] <utlemming> robbiew: its pretty easy, I'll chat with James
[15:22] <robbiew> utlemming: excellent, thanks!
[15:25] <smoser> utlemming, https://jenkins.qa.ubuntu.com/view/Precise%20Daily%20ISOs/job/precise-server-ec2/ARCH=i386,REGION=us-west-1,STORAGE=instance-store,TEST=cloud-config,label=ubuntu-server-ec2-testing/lastBuild/artifact/ is a valid failure.
[15:25] <smoser> i'm interested in knowing how you would "fix" that
[15:25] <utlemming> I was just looking at that
[15:25] <jamespage> utlemming, robbiew: that is now resolved BTW (was using my old account for that run)
[15:26] <utlemming> jamespage: how many is your current limit?
[15:26] <utlemming> and do you need more?
[15:27] <smb> smoser, jamespage What is that actually testing? Just curious as precise is reported to not boot at all on ec2...
[15:27] <smoser> smb, precise boots fine.
[15:27] <smoser> with the 'idle=halt' work around. that makes everything other than hvm instances boot fine.
[15:27] <smoser> hvm is doa, though.
[15:27] <smb> smoser, Oh doh!
[15:28] <smb> Confused HVM and PVM then
[15:28] <smoser> (bug 881076 and bug 901305)
[15:28] <smoser> jamespage, that does bring up a question though...
[15:28] <smb> smoser, So yes, I am currently on the HVM issue.
[15:29] <smoser> we should probably at least in the "big run" test an hvm instance
[15:30] <jamespage> smoser: yes agreed
[15:30] <jamespage> that needs a change in the framework to support
[15:30] <smoser> oh?
[15:34] <smb> smoser, Btw, (just checked) a fix for bug 881076 was upstreamed for 3.2-rc5 and should be included in 3.2.0-4.10
[15:34] <smoser> smb, woot. when is ETA for that to archive ?
[15:35] <Daviey> \o/
[15:35] <smb> smoser, rmadison says now
[15:35] <Daviey> smb: make sure you leave some content for the meeting! :)
[15:36] <smoser> $ cat /proc/version_signature
[15:36] <smoser> Ubuntu 3.2.0-4.10-virtual 3.2.0-rc5
[15:36] <smoser> rmadison seems to know its stuff.
[15:40] <caribou> Question : I know that ubuntu-vm-builder is being phased out, but would it be possible to have a look at a 3 line patch I have ?
[15:40] <smb> smoser, So, theoretically, that should boot without the idlealt
[15:41] <smb> *idle=halt
[15:41] <caribou> or is is just a waste time
[15:46] <smoser> utlemming, https://code.launchpad.net/~smoser/vmbuilder/automated-ec2-builds.revert-lp881076-workaround/+merge/85352
[15:46] <smoser> smoser, yes, verified.
[15:48] <stgraber> hallyn: looks like adding /dev and /run to our lxc fstab (outside the container) allows us to boot without any change to the container (as far as mounts are concerned)
[15:49] <utlemming> smoser: merged
[15:49] <smb> smoser, Great. I think we can set the status to actually fix released (at least for the linux package)
[15:49] <stgraber> hallyn: only issue is the utmp monitoring code that stops working. My guess is that it's initialized before the container's fstab is used and so doesn't monitor the right file, I'll see if I can easily re-order that bit in the upstream code
[15:50] <hallyn> stgraber: the reboot patch at this point is tiny.  Perhaps we should ask #ubuntu-kernel to carry it.
[15:50] <smoser> smb, yeah.
[15:51] <smoser> smb, i'm fine with that...
[15:51]  * smb likes to remove one from the list...
[15:52] <stgraber> hallyn: what's the state of the upstream discussions? I seem to remember you mentioning multiple implementations of the patch, do we know what's the preferred one?
[15:53] <hallyn> http://lkml.org/lkml/2011/12/11/114
[15:53] <hallyn> stgraber: ^ that pretty much has Oleg's buy-in afaiui
[15:55] <stgraber> hallyn: looks quit simple indeed. Not sure if we should wait for more upstream feedback or just go with that one for now, then rebase on whatever ends up being in the kernel (if not exactly that one)
[15:57] <hallyn> me neither - my only concern is that we patch lxc to use that, then have to re-patch to use something different.  But I'm really hopeful that the churn is done.
[15:58] <hallyn> Daviey: i can haz ipxe+etherboot dput?  plz?
[16:00] <Daviey> hallyn: OTP, i will after this..
[16:01] <hallyn> Daviey: thx
[16:24] <stgraber> hallyn: hey, just want to confirm, there isn't a magic mount flag to mount something at a specifc place in the mount stack? As in, I can't say I want my new devtmpfs to be mounted below the devpts mounts we already have?
[16:25] <stgraber> hallyn: checking if there isn't a way to just let mountall mount the devtmpfs itself without affecting us. The other option is to have the mountall job move our mountpoints aside and move them back to place once /dev is mounted
[16:26] <stgraber> (mounting a devtmpfs from LXC works but causes some error messages later in upstart that'll be tricky to workaround, so having the magic done in the container seems to be a better option)
[16:45] <hallyn> nod: eh what?
[16:45] <hallyn> sorry
[16:50] <Daviey> lynxman: Hey, are you still working on a new upstream snapshot of ipxe?
[16:51] <lynxman> Daviey: yessir, it's actually a bug in upstream :)
[16:51] <lynxman> Daviey: will ping you back with more details
[16:52] <Daviey> lynxman: are you sure?
[16:52] <lynxman> Daviey: 100% positive, reproduced on source as well, the debian package tries to do a baserom make which is not included by default in the source but it's accepted as an option, that one breaks :)
[16:53] <Daviey> ahh
[16:53] <lynxman> Daviey: that's the solely reason why the makefile on the original source did work, because they didn't do that make, but it's an extra feature
[16:53] <Daviey> lynxman: have you done a bisect to find the bad commit?
[16:53] <lynxman> Daviey: it's a bit tricker than that, also my context switching today is rusty, being at Millbank and all :/
[16:54] <Daviey> heh
[16:54] <Daviey> lynxman: "make baserom" breaks it?
[16:55] <lynxman> Daviey: yes
[16:57] <Daviey> thanks
[17:08] <jamespage> RoAkSoAx, is there a nice was to pull the ubuntu release into a preseed/snippet template in cobbler?
[17:11] <hggdh> RoAkSoAx: good morning, Q on cobbler and Lucid and cloud-init
[17:12] <smoser> RoAkSoAx, 'os_version'
[17:12] <smoser> jamespage, and note, i found that by 'sudo cobbler system dumpvars --name <some-system-name>'
[17:12] <smoser> and looking at output
[17:12] <smoser> so you can use that in context of https://fedorahosted.org/cobbler/wiki/KickstartSnippets
[17:14] <jamespage> smoser: thanks - I knew it got set in import
[17:21] <RoAkSoAx> yeah ^^
[17:21] <RoAkSoAx> jamespage: though, os-version also gets automatically obtained
[17:22] <wmp> hello, i need help with mdadm. I have md8 in raid0, but i must change one disc from this volume. Is possible to move all data from sda(broken) to sdb? Sdb have enought space
[17:23] <zul> SpamapS: ping where are we in the openstack sru stuff?
[17:25] <jamespage> gah - stale iso/kernel
[17:27] <SpamapS> zul: TB meets tomorrow, pitti and I agreed that we might as well just wait for that.
[17:27] <zul> SpamapS: k
[17:46] <zaltekk> can i not do do-release-upgrade from an LTS release to a non-LTS release?
[17:47] <zaltekk> do i need to just modify sources.list and upgrade manually?
[17:49] <genii-around> zaltekk: If /etc/update-manager/release-upgrades  contains Prompt=normal  and not Prompt=lts or Prompt=never ... then you should be able to upgrade to the next-up distribution to what you currently have
[17:52] <zaltekk> genii-around: okay, thanks.
[17:53] <zaltekk> it's on lts, so i'll move it to normal.
[17:56] <genii-around> zaltekk: If you upgrade this way, you move from LTS to non-LTS.  Also if you are for instance now on 10.04 , it will take you to 10.10. So then you have to upgrade sequentially through 10.10, 11.04, 11.10.
[17:56] <genii-around> ( whereas LTS releases can go directly to next LTS )
[17:56] <zaltekk> hmm. i may be better off reinstalling 11.10, then.
[19:31] <stgraber> hallyn: around?
[19:32] <stgraber> hallyn: so after messing with the boot scripts and LXC's config for a while, I guess the easiest way of "fixing" our /dev issues is by adding a tiny bit of logic in mountall
[19:32] <stgraber> hallyn: basically telling it never to mount a filesystem that would hide other mountpoints
[19:33] <stgraber> hallyn: this should be safe for most use cases (as you generally don't want that to happen anyway) and will make it skip /dev in containers
[19:33] <hallyn> jdstrand: does precise introduce a change in 'admin' user?
[19:34] <hallyn> stgraber: sounds sensible i guess
[19:34] <jdstrand> hallyn: for 'sudo'? Debian updated sudo to have an equivalent user, called 'sudo'. atm we honor both that and 'admin'
[19:34] <hallyn> stgraber: i think we just need to let that sink in a bit and think of potential problem cases
[19:35] <stgraber> hallyn: I'll spend a bit of time (until the TB meeting) trying to implement the change, if I don't succeed jodh said I can just file a bug and assign it to him :)
[19:35] <hallyn> jdstrand: i only noticed that my user wasn't getting group libvirtd by default, then noticed there was no admin group.  On a VM created with vm-new
[19:35] <jdstrand> hallyn: I think there is a bug on that-- it is open for discussion on whether we are going to honor both or just 'admin'
[19:35] <jdstrand> hallyn: yep, that would do it
[19:35] <hallyn> jdstrand: ok, so i don't need to worry about it right now then?
[19:36] <hallyn> long as i don't have to change the libvirt postinst yet, i'm fine :)  thanks
[19:36] <jdstrand> I don't think so, no
[19:36] <stgraber> hallyn: people with broken /etc/fstab will see a difference in behavior, I guess a warning should be shown (Skipping /dev as it contains mountpoints) in that case
[19:37] <jdstrand> hallyn: actually, I don't see a bug open atm-- it might just be mdeslaur, pitti, et al discussing it
[19:40] <Guest65301> I am having trouble setting up wifi on my Dell Inspiron E1505. I installed bcmwl-kernel-source and it made ethernet stop working.
[19:49] <Tophat> can anyone give me a hand setting up basic postfix for use with a relay?
[19:51] <Duvrazh> Hey, can graphics card drivers be installed on server edition 10.04lts for gnu clients?
[19:51] <erichammond> Tophat: Try setting "relayhost" in /etc/postfix/main.cf
[19:52] <Tophat> thanks erichammond
[19:52] <Duvrazh> gpu, not gnu
[19:56] <Guest65301> Duvrazh Yeah i think so.
[19:58] <Tophat> yup, no idea how to even configure postfix and what things mean in the installer lol.
[19:59] <Duvrazh> Does anyone know if it's possible to install graphics card drivers via cli for ubuntu server 10.04 LTS for the purpose of GPU clients like Folding@Home?
[20:05] <Duvrazh> Does anyone know if it's possible to install graphics card drivers via cli for ubuntu server 10.04 LTS for the purpose of GPU clients like Folding@Home?
[20:15] <chz|bacon> hey guys anyone here willing to lend me a hand with some mdadm questions?
[20:38] <pmatulis> !ask | chz|bacon
[20:41] <chz|bacon> sorry pmatulis in the midst of trying to figure it out still
[20:42] <chz|bacon> apparently i can't mount my /dev/md0 device on reboot
[20:43] <chz|bacon> i'm using the following command sudo mdadm --create --verbose /dev/md0 --level=1 -n2 /dev/sdb /dev/sdc
[20:43] <chz|bacon> then i add the output of mdadm --detail --scan to /etc/mdadm/mdadm.conf
[20:44] <pmatulis> chz|bacon: you should be assembling the array if it exists, not creating it
[20:45] <chz|bacon> right that's just my original line i used to create it
[20:47] <zastaph> there's gotta be something easier than ESXI and KVM
[20:48] <pmatulis> zastaph: what's wrong with KVM?
[20:49] <zastaph> a very long (and commandline) process to set it up :| https://help.ubuntu.com/community/KVM
[20:49] <zastaph> I didn't try Xen yet
[20:49] <zastaph> neither OpenVZ
[20:49] <zastaph> but are they any easier?
[20:49] <pmatulis> zastaph: i don't see any long command lines on that page
[20:50] <zastaph> how about on https://help.ubuntu.com/community/KVM/CreateGuests under "More complex example"
[20:50] <zastaph> I did just sudo ubuntu-vm-builder kvm lucid but forgot the --libvirt, and have no clue how to access it now :)
[20:51] <zastaph> or how to delete it.. because it's all hidden deep down below under several man pages
[20:51] <RoyK> zastaph: virt-manager
[20:51] <zastaph> i want a GUI interface where I can see all my VM's visually :)
[20:51] <RoyK> zastaph: virt-manager
[20:51] <pmatulis> zastaph: just install the s/w (sudo apt-get install virt-host^), set up your public ssh key so you can log in with SSH, and launch virt-manager.  then create a virtual machine
[20:51] <zastaph> RoyK, I don't use Linux from my controlling PC
[20:51] <RoyK> zastaph: windows?
[20:52] <zastaph> mmm differs a bit.. but sometimes Linux.. Just I would like the controlling interface to be platform independent
[20:52] <RoyK> zastaph: if using unix/linux/mac, X should work fine, if on windows, use xming and configure putty accordingly
[20:52] <RoyK> zastaph: and the interface will be the same on all client platforms
[20:53] <zastaph> I don't know, I have a bad feeling about KVM so far :) I want something as usable as VBox, just for servers
[20:53] <RoyK> zastaph: you just got a perfectly good advice that will work with kvm and xen, and you don't even test it?
[20:54] <zastaph> putty, xming.. setting up X forwarding.. ouch
[20:54] <zastaph> virt-manager, maybe
[20:55] <RoyK> zastaph: setting up x forwarding is not an ouch - it's a single tick box in putty. if that's too hard for you, hire a mickysoft consultant to setup hyper-v
[20:56] <zastaph> mmm if you say so
[20:57] <RoyK> if you find it hard and troublesome and annoying to setup x forwarding with putty and xming, then perhaps you should be working with other things than computing :þ
[20:58] <zastaph> no.. im just a lazy developer who would rather spend time finding the tool that requires the least maintenance/man pages
[20:59] <zaltekk> X forwarding won't work just by having putty
[20:59] <zaltekk> you need something to provide a local X server
[20:59] <RoyK> I can see that - next time, perhaps you should try to do some tests before whining about things not working
[20:59] <RoyK> zastaph: yes, that's where xming comes in
[21:00] <zaltekk> so i just moved from 10.04.3 to 11.10(reinstall), and now slim works, but after i login it errors out
[21:00] <zaltekk> tries to load fglrx(never installed catalyst)
[21:00] <zaltekk> I don't have an xorg.conf, so i'm not sure where it would even get the idea of loading fglrx
[21:01]  * RoyK has no idea what fglrx is
[21:02] <zaltekk> RoyK: it's the driver from ATI
[21:02] <zaltekk> xserver-xorg-video-ati/radeon is what's loaded
[21:02] <zaltekk> i don't understand why slim works but the wm doesn't.
[21:02]  * RoyK is off (zzz)
[22:01] <Tophat> anyone mind giving me a hand on this error from postfix "Cannot open mailbox /var/mail/nagios: Permission denied"
[22:01] <Tophat> how do i add permissions to nagios to use mail?
[22:57] <hallyn> Tophat: what does 'ls -l /var/mail/nagios' and 'ls -ld /var/mail' show?
[23:33] <ahs3> hallyn: i uploaded the netcf update; no confirmation back yet but i'll keep an eye on it.  thx for the fixes.
[23:37] <hallyn> ahs3: \o/  thanks
[23:37] <Rar9> hi can anyone help with installing solr 3.5 on tomcat7
[23:37] <ahs3> hallyn: np
[23:37] <Rar9> tomcat7 is running
[23:58] <SpamapS> Rar9: doesn't SOLR include its own jetty webserver?
[23:58] <Rar9> that´s a good question...
[23:59] <Rar9> thought that there is a jetty version and/or Tomcat one
[23:59] <SpamapS> Rar9: that would make sense