[00:42] is ubuntu a 64 bit OS? === sixstringsg|away is now known as sixstringsg [00:43] if you want it to be, sure [00:43] ok cool [00:44] ubuntu is free right, hence its popularity [00:44] im looking into building my own computer and/or server in the next few years [00:44] next few years? [00:45] well... maybe in even 5 years time [00:45] all depends how things go [00:45] im waiting for GPU's to increase in their FLOP rates, up to teraflops i think, quite a few of them [00:46] which im guessing will come with successive die shrinks [00:47] so yeh.. im looking at 5 or so years when chips are made on 10-11nm scale, adding on a year or so for prices to drop too [00:49] does that sound weird or no? [00:49] i want to utilise nvidias CUDA or somethign similar for simulations and such [00:50] anyway.. im guessing ill be using a linux based OS to save on cash, and plus it offers more flexibility im guessing [00:52] so yeh, my plan was to build a mini supercomputer type thing around 2016-18 or so, but then i realised i might want to host my own website and so i will look into building a server too because by todays bandwidth in the UK, we can get 100mbps fibre optic but in a few years im guessing that up to 1gbps will be available [00:53] Oh and also im waiting for hard disk space to increase up to the 10s of Tb's [00:55] lordy sorry, not like anyone is talking [00:57] welcome back tightwork, i wont flood anymore [00:59] how does ubuntu have so many of its future versions already named out to the year 2017? [01:00] oh my bad, thats the date it is supported until [01:02] ill be back one day, knowing everything about ubuntu, you'll see === sixstringsg is now known as sixstringsg|away [02:00] angelabad in da HOUSE [02:05] I've a machine with 3 users, out of which one used to be in sudoers list-- for some reason , or maybe I forgot, I can't sudo into root anymore...and seems like ssh root@localhost is barred [02:06] any ideas if I can fix this? === sixstringsg|away is now known as sixstringsg === sixstringsg is now known as sixstringsg|away === sixstringsg|away is now known as sixstringsg [02:53] how can i force the use of an lesser-version-numbered package if a higher-version-number exists already on the system, without uninstalling the package === sixstringsg is now known as sixstringsg|afk === dendro-afk is now known as dendrobates [05:01] New bug: #910722 in libpam-ldap (main) "Request support for multiarch in libpam-ldap" [Undecided,New] https://launchpad.net/bugs/910722 [05:08] never got an answer, so i'll re-ask. how can i force the use of an lesser-version-numbered package if a higher-version-number exists already on the system, without uninstalling the package [05:11] Resistance: Want to have the newer version installed in parallel, or simply be able to downgrade without having the uninstall/remove be a separate step? [05:12] andol: they're the same program, same version, just slightly different numbering because one's a fork of the original debian package [05:13] andol: i need the newer version to be purged, but without the interruption of the program [05:13] downgrading directly would work better [05:13] without having uninstall/remove as an option [05:14] Well, not sure if there is a better way, but I have had luck calling "dpkg -i" directly on the deb package in question. In case there are multipe deb files all having to be of the same version you might have to list all those files as arguments to the same dpkg -i run. === dendrobates is now known as dendro-afk [05:35] andol: i think i figured it out... [05:36] the newer version only exists because its installed... by me doing: aptitude install = repeatedly, for each package and version, it should fix it all. [05:37] Good to hear. === sixstringsg|afk is now known as sixstringsg|away [08:23] squid acl .# is a subdomain of .# (Using HOSTS acl) === smb` is now known as smb === huats_ is now known as huats === dendro-afk is now known as dendrobates [13:33] I need to setup a server for vmware virtual machines, but looks like vmware server doesn't install on 10.04, any ideas? [13:37] ah, always good to ask on IRC, as that's when you find solution: http://hmontoliu.blogspot.com/2010/04/installing-vmware-server-202-in-ubuntu.html [13:45] Tm_T, rubber ducky, you're the one === JanC_ is now known as JanC [13:46] (http://c2.com/cgi/wiki?RubberDucking) [13:46] cwillu_at_work: indeed [13:56] New bug: #910838 in quota (main) "Sync quota 4.00-3 (main) from Debian unstable (main)" [Wishlist,New] https://launchpad.net/bugs/910838 [14:36] <_ruben> Tm_T: vmware server has been eol for ages now though [14:56] _ruben: aware of that but thanks (: [14:57] _ruben, isn't that why we have vm's? to run unsupported software when necessary? :) [14:58] <_ruben> cwillu_at_work: perhaps you do, it surely isn't the reason why we do virtualization :) [16:01] How do I keep an ssh tunnel alive ? I do have "TCPKeepAlive yes" but it seems to die in a few minutes of inactivity. === dendrobates is now known as dendro-afk [16:20] ssh tunnels don't die, unless you close them [16:20] most likely it's your routers nat timeout [16:20] patdk-lap: TCPKeepAlive's usually work to keep the nat alive too tho [16:21] pythonirc101: perhaps your router's nat timeout is very low [16:21] only if the other params for it are adjusted correctly for his nat timeout === dendro-afk is now known as dendrobates [16:26] I want the user to be not able to login, but be able to create tunnels. How can I do this? I am trying to use "bash -r". Is there anything better i can use? [16:27] magicblaze007: you can assign a specific command to a particular key in the user's authorized_keys file [16:28] SpamapS: Do you know if ssh uses the shell when creating a tunnel? [16:29] SpamapS: if not i'd like to disable shell logins- was looking at bash -r [16:29] magicblaze007: no, the shell is only run when there's no set command, and the user has requested a tty [16:29] perfect, so how do i tell a login, that it can never get a shell? [16:30] magicblaze007: in ~/.ssh/authorized_keys , for the user's key, you set command="..." [16:30] I was reading this -- http://linux1.ca/docs/restricted_env.shtml -- which is more about restricting public ssh accounts...not completely stopping logins. [16:30] New bug: #910899 in samba "Enumerating users over NSS doesn't work with idmap_ad" [Undecided,New] https://launchpad.net/bugs/910899 [16:31] magicblaze007: if you want to let users bounce off you, why not try openvpn instead? [16:31] SpamapS: its a headache to setup and maintain? [16:32] magicblaze007: actually you can do 'ForceCommand' in sshd_config also [16:32] + I've to install client installers...whereas in ssh, i can use a ssh library in my code. [16:32] headache to setup and maintain? [16:32] yeah [16:32] takes like 30min to setup [16:32] openvpn is crazy simple [16:32] and like 0 matintaince [16:32] patdk-lap: its not the server -- its the client i'm talking about [16:32] heh? [16:33] I'm coding in python, and dont like executing external commands-- do you know of a python client for openvpn? [16:33] what is there to maintain on a client? [16:33] magicblaze007: they're peers. [16:33] the only problem i've with openvpn is my client code. [16:34] magicblaze007: yeah I can understand that. [16:34] magicblaze007: what about just using SSL + stunnel? [16:35] never looked at stunnel [16:35] magicblaze007: its pretty simple, a lot simpler than sshd [16:36] is it better to use that compared to doing a "ssh -R"? Right now i'm doing a reverse proxy [16:36] magicblaze007: -R would require you to allocate a port randomly on the server woudln't it? [16:36] what does the client need? In my case the client only needed an equivalent of "ssh -R" [16:37] I'm using a script on the client to post its public key to the server, and get back a port number right now [16:37] magicblaze007: how are you posting that? via clear HTTP? [16:37] yes [16:38] if someone else uses that port, i just pick another one [16:39] SpamapS: how does one do reverse proxying using stunnel? [16:39] magicblaze007: you realize you lose all the security of SSH then... somebody else might be man-in-the-middle and posting their own key. [16:40] Hi - having an apache mod_rewrite problem: requesting an image which should be served directly but is instead failing RewriteCond %{REQUEST_FILENAME} !-f and being passed through to PHP. Any idea why - see rewrite log and vhost conf here: https://gist.github.com/9a83ad3155ee521d44c5 [16:40] magicblaze007: you really should use SSL for both bits here [16:40] magicblaze007: SSL would be very easy in python as well. [16:41] or I should say *passing RewriteCond %{REQUEST_FILENAME} !-f when it should fail. the file does exist. [16:41] SpamapS: how so? I've two levels of encryption -- useless but there -- IIS --> https --> ssh tunnel --> client -- even if the ssh keys are taken, the https keys encrypt everything, isnt it? [16:42] SpamapS: indeed, but what i dont know is how to patch the https server on the client, make it talk to in python using ssl -- then patch it thru to stunnel [16:43] SpamapS: In case of ssh -- its just ssh -R port : xx : port [16:45] jamiemill: Do you have other RewriteCond's before that? the first one that matches usually drops through to the rule IIRC.. but its been a while since I did deep rewrite-fu [16:46] SpamapS: no there's nothing more than in that gist linked above [16:46] magicblaze007: right but ssh is designed to have user sessions. You don't really need that. you just want an authenticated tunnel [16:47] If I remember right, rewritebase only works in .htaccess [16:47] and you need to put your rewrites inside a location section, to do the same type thing in a config file [16:47] patdk-lap: +1 , that sounds right to me as well [16:47] but then, I normally solve it via trial and error :) [16:48] patdk-lap whoops you're right that was just a failed experiment, it's not actually in there [16:49] SpamapS: if i use ssh for this compared to stunnel, how much speed/efficiency am i loosing? [16:50] SpamapS: Also, usually is stunnel an executable client that creates the port forwards? [16:51] stunnel is just opens a tcp tunnel, is all, an SSL encrypted tcp tunnel [16:54] ah ok [16:54] doesnt ssh -R doesnt do the same thing...? [16:55] I solved my problem with thanks to #httpd - i had put the rewrite statements outside a directory block in my vhost config and so they don't work without a %{DOCUMENT_ROOT} being prepended on the URI [17:01] is there a problem in setting authorized_keys of a login to have these settings: -rw-rw-r-- 1 mytunnel www-data 0 2012-01-02 10:55 authorized_keys ? [17:02] magicblaze007, ssh -R opens up a secure tunnel for arbitrary ssh channels, one of which is a port forward somewhat similar to stunnel in security properties [17:02] magicblaze007, yes, they need to be -rw--r--r-- [17:03] and the .ssh folder needs to be rwx------ or stricter [17:03] the problem is that i've to add/delete keys from the web to this file [17:03] from another account [17:03] hence the group access... [17:05] if a file belongs to user:group and the user is not in the group -- and both of them have read/write accesss -- unless someone is on my machine already as that group -- can they create trouble? [17:06] you should really treat www-data as an insecure account [17:08] "the problem is that i've to add/delete keys from the web to this file" is something I would tread very carefully around [17:08] i.e., find some other way of doing it :p [17:09] you could probably have it owned by the user you want to modify it though, with read access for the group [17:09] (I'd still tend to avoid that sort of thing though [17:11] I have a similar issue with the common way of setting up ftp servers and mail servers: I'm deeply uncomfortable creating system accounts for agents which have no reason to log into the system [17:13] (and the infrastructure required to switch effective users is quite error-prone) [17:20] any cobbler pros here today? [17:20] I'm trying to figure out where $iface.filename comes from (used in dhcp.template) [17:26] mgw: is dhcp.template a pre-seed or a kickstart snippet? [17:26] mgw: oh wait, n/m .. thats for generating the dhcpd configs [17:26] yes [17:26] it's in /etc/cobbler [17:26] mgw: right, that stuff all is deeply embedded in code. [17:27] it's putting this in dhcpd.conf: filename "gpxe/menu.gpxe"; [17:27] but should be putting pxelinux.0 [17:28] I have this in settings [17:28] # cobbler uses pxe booting by default, enable this option if you want to [17:28] # use gpxe [17:28] use_gpxe: 0 [17:28] mgw: yeah maybe thats being overridden in some profile [17:29] that's my thought, but I can't even find where to set it in the profile [17:29] (in fact it does have the gpxe stuff in the json profile) [17:30] for the system, that is === dendrobates is now known as dendro-afk [17:32] "filename": "gpxe/menu.gpxe", === dendro-afk is now known as dendrobates === udienz_ is now known as udienz [17:47] spamaps : any ideas by chance? [17:47] Hey guise. Im having trouble connecting to postgresql. Ive tried opening the port(5432) in iptables and in ufw, but nothing seems to work. Im not shure how to config iptables, but ufw seems okay. Does iptables "override" ufw, so my ufw rules wont work? [17:55] Binsh, back up a couple steps, and define what you mean by having trouble [17:55] mkay [17:55] you can connect via loopback? [17:55] and do things work correctly with the firewall disabled? [17:56] (typically one would do these sorts of tests of a machine other than the production machine, and then simply apply the required settings) [17:56] yeah, i can. when i nmap my server-machine, port 5432 doesn't appear, but it does on loopback [17:56] that's moving forward, not backing up [17:57] is postgres set to listen on a remote port? [17:57] Yea [17:57] prove it :p [17:57] but still, the port should appear as open on nmap? [17:57] hehe, 2sec [17:58] listen_addresses = 'localhost,192.168.0.195' [17:58] port = 5432 [17:58] in the config file [17:58] /etc/postgresql/8.4/main/postgresql.conf [17:58] and from the local machine, can you connect to it at the address 192.168.0.195? [17:59] (and if you just made that change, you've restarted postgresql?) [17:59] ive restarted the machine multiple times after that change =\ [18:00] and postgresql [18:00] and you connect to it at the address 192.168.0.195? [18:00] yeah, im sshing to it [18:00] (from the local machine) [18:00] no, I mean postgres [18:00] no [18:00] thats my problem ;) [18:00] even from the machine itself? [18:00] that works [18:00] okay [18:01] I believe you want to use only one mechanism or the other to configure your firewall [18:02] so if you previously used ufw to set up ssh, then that's what you'll want to configure to make postgres work, for instance [18:02] Yeah [18:02] looked at /etc/ufw/applications.d/? [18:02] Well, ufw was disabled until 1 hour ago [18:02] when i knew it existed [18:02] hehe [18:03] ssh just worked after installing [18:03] and have you looked at /etc/ufw/applications.d/? [18:03] hmmm [18:03] looking [18:03] apache2.2-common openssh-server samba [18:04] sense a theme? :p [18:04] hehe yeah [18:04] :P [18:04] make sure to read "man ufw" [18:05] yeah, i did, but i couldnt see it mentioning anything about that [18:05] i skipped down to the "allow" etc. sections [18:05] hehe [18:05] well, at the bottom it said "see also: ufw-framework" [18:05] which is also a good one to read [18:06] but in essence, I believe you just need to make a new file similar to the contents of an existing one, for postres, and then poke the relevant things [18:06] Yeah, im trying atm ;) [18:08] cwillu_at_work: thanks [18:10] cwillu_at_work: hmm, it doesnt seem to work :S [18:11] did you do anything more than making the file? [18:11] ahh, i found a typing-error ... [18:11] when in doubt: you're doing it wrong :) [18:11] yeah i restarted ufw oO [18:11] hehehe [18:22] cwillu_at_work: okay, now im making some progress here. My rules says that 5432 is allowed, but when i nmap from the local machine, it says its closed :S [18:23] 5432/tcp closed postgresql [18:23] [PostgreSQL] [18:23] title=Postgresql server [18:23] description=databaseskjit [18:23] ports=5432/tcp [18:23] root@ubuntu:/etc/ufw/applications.d# sudo ufw status [18:23] Status: active [18:23] To Action From [18:23] -- ------ ---- [18:23] 80 ALLOW Anywhere [18:23] 8080 ALLOW Anywhere [18:23] 22 ALLOW Anywhere [18:23] PostgreSQL ALLOW Anywhere [18:24] this is giving me a headache oO [18:24] have you got any idea bout whats wrong? [18:25] didn't anyone ever teach you to pastebin? [18:25] nope, but thx for doing that ;) [18:25] * cwillu_at_work has his doubts, given that you apparently know what a pastebin is :p [18:26] Hehe, i use it to post code and stuff to friends, but im not really the most experienced irc user^^ [18:26] if it's more than two lines, pastebin [18:26] mkay [18:27] among other things, it makes it much easier to look at potentially complicated stuff while still talking about it [18:27] Yeah [18:27] what does this say: sudo lsof -iTCP -sTCP:LISTEN [18:29] http://pastebin.com/7zfLugm2 [18:29] here u go [18:29] 2sec ill have a look [18:30] http://pastebin.com/2uwxxQ2A [18:31] hmm strange [18:31] postgres 1446 postgres 3u IPv6 4736 0t0 TCP localhost:postgresql (LISTEN) [18:31] localhost:postgresql [18:31] postgres 1446 postgres 6u IPv4 4737 0t0 TCP localhost:postgresql (LISTEN) [18:31] Yeah [18:31] restart postgres [18:31] are there any other interfaces on the machine? [18:31] eth0, 1 and wlan [18:31] 0 [18:31] if not, you may save some trouble by just using "*" instead of listing the interfaces [18:32] eth1 is disabled in bios * [18:32] wlan is also disabled [18:39] the listen_addresses in postgresql is whats failing [18:40] it seems like it dont accept any other alternative than '*' [18:40] i tried inserting my ip 192.168.0.195, but it wouldnt work ... [18:41] well, at least now it works, thx for ur time cwillu_at_work ;) === dendrobates is now known as dendro-afk [19:46] New bug: #910955 in samba (main) "package samba 2:3.5.8~dfsg-1ubuntu2.3 failed to install/upgrade: ErrorMessage: package samba is not ready for configuration cannot configure (current status `half-installed')" [Undecided,New] https://launchpad.net/bugs/910955 [20:54] cwillu_at_work: would you mind testing my ssh public access account and tell me if there is a problem? [20:54] I put my own program as shell. (Which logs the user out automatically) [20:55] sftp/scp doesn't seem to work [20:56] is this the correct installer preseed line to immediately age the ubuntu user?: [20:56] d-i preseed/late_command string chage -d 0 ubuntu [21:39] When using KVM/QEMU on ubuntu server, can I in any way control the order in which machines boot after system boot? [21:40] Because of memory ballooning, I have a handful of machines which I want to boot in sequence, instead of parallel. [21:42] aarcane_: have a look at the startup script, see what it does. It might do them in alphabetical order or something [21:56] pythonirc101, you should probably do some reading on what behaviours ssh supports :p [21:56] (be right with you) [22:00] back [22:01] whois pythonirc101 [22:04] pythonirc101, sftp requires a legit shell to work [22:04] qman__, sftp uses a completely separate subsystem, independent of the shell iirc [22:04] for that reason, /usr/sbin/nologin exists [22:05] I don't know at a technical level why it requires one, but it does [22:05] you can trust me on that one [22:06] if you set the shell to /bin/false or something that isn't a shell, it won't let you SFTP [22:08] qman__: I wrote my own shell in python , that kicks the user out [22:09] how evil [22:09] that's my point, it's probably not doing whatever it is that /usr/sbin/nologin does to make SFTP happy [22:09] cwillu_at_work: I did read ssh as much as I could + port forwarding [22:09] you need to allow execution of sftp from the shell script [22:09] qman__: it doesn't let sftp work...i tried that... [22:09] I also learned while setting up jailkit (before openssh had jailing built in) that it requires a minimal environment too [22:10] I run sftp after sanity checks, and print a messaging saying shell access disabled, sftp only [22:10] qman__: I like nologin better -- just changed to that [22:11] how else can I check for problems in an open ssh login? [22:11] there's probably a way to start sshd with more verbose logging [22:14] qman__, the shell requirement will be in /etc/pam.d/sshd or something referenced therein [22:16] at least, I think :p === sixstringsg|away is now known as sixstringsg === dendro-afk is now known as dendrobates [23:13] what kind of a key is this -- http://paste.pocoo.org/show/529050/ ? Can this be used instead of ssh id_rsa.pub/id_rsa for logins? [23:14] i think that's a certificate key [23:14] so no [23:15] Resistance: what's the difference between certificate keys and the ones ssh id_rsa type? [23:15] pythonirc101: different encryption technologies, different formats [23:15] pythonirc101: just generate an SSH key [23:15] its easy [23:16] also, a certificate key decrypts the info in a certificate [23:16] an SSH key doesnt decrypt anything, but works as an identifier [23:18] Resistance: I've to do it from python [23:18] you have to create an SSH key from python? [23:19] yes [23:19] why the heck would you need to do that? [23:19] python doesnt have that capability [23:19] because my application is written in python [23:19] your application doesnt need an SSH key if its sitting at the server [23:19] your client does to ssh in though [23:19] my app is a client [23:19] Python doesnt have SSH key compatibility, to my knowledge [23:19] i'd ask around in the python channel [23:23] k [23:24] Could do with some help brainstorming somthing here. I have set up a new Ubuntu 11 server with apache/php, and compared to my Ubuntu 10 LTS server (both on AWS EC2), benchmarking a phpinfo() page is 3-4x slower on the new server. Any idea why or how I might find the cause? [23:25] a real site is also slower, but I'm using the phpinfo page to cut my site out of the equation for comparison [23:29] you sure both ec2 machines are the same? [23:29] did you benchmark them otherwise, than just php? [23:30] ec2 is a pretty random source to *expect* a certain speed [23:30] patdk-lap: they are both m1.large instances. The new one I configured via chef, whereas the old one was not. But I have coped the exact php.ini and apache.conf files over from the old server to make sure the config is the same. [23:31] well, first, make sure both have the same exact php plugins enabled [23:31] second, try benchmarking the two machine, WITHOUT USING PHP/APACHE as a socalled test [23:31] patdk-lap: I just benchmarked a plain html file and it seems the new server is actually *faster* in this case. so must be php-related [23:32] ec2 is nice and all, but it's a shared resource, your performance on it could be different from moment to moment :( [23:33] patdk-lap: hmm yes I understand but I have spun up quite a new instance since yesterday and all day it has been consistently the same amount slower [23:34] patdk-lap: are you suggesting benchmarking the machines CPU somehow? [23:35] dunno, I wouldn't know where the slowness would be [23:35] cpu, disk [23:35] it could be php [23:35] I know for me, enabling the php snmp module slows thing down by a few seconds [23:37] patdk-lap: hmm - the new server has less modules enabled. in fact snmp is on the old (faster) server.