[01:42] <smoser> SpamapS, around ?
[01:46] <smoser> well, if you see this, see in #juju . looking for "how do i do the orchestra provider"
[02:28] <samba35> i am @ home with 2 pc ,1st pc is utm (firewall/vpn/av.etc) and 2nd pc is linux with 3 interface ,i want dmz traffic on eth1 and lan traffic on eth0 how do i configure this usage scenario
[02:32] <twb> UTM?
[02:33] <twb> If you only have two hosts, where is the DMZ?
[02:41] <samba35> sorry
[02:41] <samba35> utm is unified threat mangment
[02:42] <samba35> which provide anti-virus ,anti-spam, ips/ids ,firewall ,vpn ,routing ,proxy and more thing in one box
[02:42] <twb> OK, an appliance
[02:43] <samba35> yes
[02:43] <samba35> u can get this on software based also /virtual also
[02:44] <samba35> my utm network is 192.168.2.0/24 and dmz is 192.168.3.0/24
[02:44] <samba35> lan is on utm network
[02:44] <twb> Why do you have so many networks when you only have two hosts?
[02:45] <samba35> i want to use web server ,mail server ,ftp server with linux on dmz
[02:46] <twb> In English, the space goes *after* the comma.
[02:46] <samba35> and i also want to host windows xp and server on ubuntu using kvm but that is later
[02:46] <samba35> sorry for that i am not a native english speaker
[02:46] <samba35> please forgive for that
[02:47] <twb> No problem.
[02:49] <samba35> if i want to access ssh or ftp or web server from outside (from differant location ) it should use dmz and when i am @ home it should use lan /utm
[02:50] <twb> http://paste.debian.net/150904/ normally your network would look like this
[02:51] <twb> Routing, DHCP, DNS, firewall, QoS, NTP, are done on the bastion.
[02:51] <twb> Services like HTTP, IMAP, are done on servers hanging off the DMZ
[02:52] <twb> And internal-only server like Samba would run in the LAN, along with the desktops
[02:52] <twb> Now, it sounds to me like this "utm" is your bastion.  Is that right?
[02:52] <samba35> yes
[02:52] <twb> OK.
[02:52] <samba35> but how do i configure network priority
[02:53] <twb> I don't know what that means
[02:53] <samba35> ok ,let me try to explain again
[02:54] <samba35> say ,if u want to access my ssh ubuntu how u will ?
[02:54] <samba35> i have nat rule configure for that
[02:54] <twb> That configuration is done on the bastion
[02:55] <samba35> ok
[02:55] <twb> As you say, it is done with DNAT rules.
[02:55] <samba35> yes
[02:56] <samba35> can i send you pm so we will share more details
[02:57] <twb> No.  Discussion should take place in public.
[02:57] <samba35> ok
[02:58] <twb> ubottu: /msg
[03:07] <samba35> what is best tool in ubuntu server to mange multiple nics
[03:07] <twb> ip
[03:08] <samba35> any gui tool
[03:10] <twb> I don't approve of GUIs
[03:10] <samba35> do you have any idea on kvm networking
[03:10] <twb> It's the same as normal networking
[03:12] <samba35> if i use bridge do i have to use same ip address on ubuntu bridge and guest nic ?
[03:13] <twb> Just use kvm's built-in userspace networking
[03:13] <samba35> ok
[03:19] <airtonix> what are the compelling reasons to use nscd instead of bind?
[03:20] <twb> nscd is not nsd
[03:20] <twb> nscd should never be used
[03:21] <twb> nsd3 serves zonefiles; bind does both that and caching recursive resolving -- two DNS role that IMO are unrelated and should be kept separate.
[04:02] <samba35> i have uninstalled apache2 still there is apache2 is been use (check with lsof ) how do i check which package is using apache2
[04:03] <twb> Pastebin the lsof output
[04:03] <samba35> ok
[04:03] <samba35> lsof -i 4 ? or
[04:04] <twb> What I mean is: what is your evidence, that apache2 is in use?
[04:04] <samba35> ok
[04:05] <samba35> http://pastebin.com/0Aby1mCJ
[04:06] <twb> OK, what is your evidence that apache2 was uninstalled?
[04:07] <samba35> i tryed apt-get remove apache2 /httpd
[04:07] <twb> "sudo apt-get remove apache2" ?
[04:07] <samba35> apt-get purge apache2
[04:08] <samba35> yes 0 package remove
[04:08] <twb> OK, your problem is that apache2 is a metapackage
[04:08] <twb> The "real" apache2 package is called apache2-mpm-worker, or one of the other apache2-*-worker packages
[04:08] <koolhead11> hi all
[04:08] <twb> Er, one of the other apache2-mpm-* packages
[04:08] <samba35> ic
[04:09] <samba35> how do i check /search all packages with apache
[04:09] <samba35> apt-file ?
[04:09] <twb> Try apt-get autoremove, otherwise try manually removing packages
[04:09] <twb> samba35: apt-cache search
[04:10] <samba35> it will search on internet right ,i want all locallly
[04:10] <twb> Wrong.
[04:10] <samba35> ok
[04:15] <samba35> twb, thanks got it remove
[04:15] <samba35> dpkg --get-selections |grep -i apache2
[09:48] <koolhead17> hi all
[09:54] <Tm_T> good day
[11:12] <_johnny> hi, i'm trying to use curl on a non-standard http server which gives incorrect (or no) content-length. i've tried setting NOBODY to true, "Expected:" to empty array, but i still get "transfer closed with ... bytes remaining to read" (or blocked time out if NOBODY = true). any ideas?
[11:21] <uksysadmin> _johnny, when you say non-standard... what is it you've got set up and what is the curl command line used?
[11:25] <_johnny> uksysadmin: i have not set it up, and it's over SSL so debugging was a bit tricky at first. it turns out there's a IGNORE_CONTENT_LENGTH which solved it :)
[11:25] <uksysadmin> glad I could help! ;-) lol
[11:27] <_johnny> ;)
[11:28] <Ursinha> good morning :)
[12:56] <zul> morning
[13:06] <uksysadmin> hi zul, ttx suggested asking you about weekly releases of openstack on precise... is there anything I need to add to my apt configs or is this something that happens weekly in precise from the standard repos?
[13:07] <zul> no there isnt anything you need to do extra they will just magically appear
[13:10] <ttx> zul: did we converge on packaging ?
[13:11] <ttx> I was wondering if there were still differences
[13:11] <zul> still a bit of convergence will be synching everything up today
[13:15] <uksysadmin> thanks zul and ttx
[14:29] <raubvogel> I setup a machine to do kerberos authentication and now when I try to change the password of a local user it wants its kerberos password. How come?
[14:35] <pmatulis> raubvogel: prolly b/c of pam.  pastebin /etc/pam.d/common-password
[14:36] <raubvogel> pmatulis: the "minumum_uid=1000" in line 27 perhaps? http://pastebin.com/nWLs2rcN
[14:42] <pmatulis> raubvogel: right, see http://manpages.ubuntu.com/manpages/lucid/man5/pam_krb5.5.html
[14:43] <raubvogel> Yeah. Yesterday we switched to kerberos. I bet we will still find other fun issues down the road...
[14:58] <philpem> Hi all. I've set up a machine with 11.10 Server, running headless and I'd like to use it as a virtual machine host. I'm thinking Orchestra might be the easiest way to set up the VMs, but how would I go about using this with KVM or Virtualbox?
[14:58] <philpem> Also, are there any admin tool (command line or web) which would make it easier to set up the VMs, create/delete them, start/stop, and so on? The KVM command line tools seem a bit rough around the edges.
[15:05] <pmatulis> !info virt-manager
[15:05] <pmatulis> philpem: ⤴
[15:06] <philpem> pmatulis, I get the impression that it's desktop only though, and not really intended for servers.
[15:06] <philpem> As in, if I install it I may well get X11 and half of GNOME or KDE thrown in for good measure
[15:07] <pmatulis> philpem: correct, you run it on a desktop and connect to the server
[15:07] <philpem> Well that sounds easy enough. Is there a HOWTO for what I need to set up on the server?
[15:08] <pmatulis> philpem: but you can install it on the server as well (giving you access to local iso files and the host's bridge, if necessary) and it doesn't drag in the kitchen sink
[15:08] <pmatulis> (i.e. ssh -Y server virt-manager)
[15:09] <pmatulis> philpem: re 'howto', virt-manager is independent of the server.  maybe i misunderstand your question
[15:10] <philpem> I just need to know if there's anything that needs installing or setting up on the server to allow virt-manager to connect
[15:11] <pmatulis> philpem: just standard kvm & libvirt
[15:11] <pmatulis> philpem: do you have your kvm host set up yet?
[15:11] <philpem> i installed the virtualisation stuff as part of tasksel
[15:11] <pmatulis> there you go
[15:17] <philpem> hmm, i get the impression Orchestra is going to be a non-starter.
[15:17] <philpem> "Network interface does not support PXE"
[15:18] <kirkland> philpem: if you want to install a hundred or more physical machines in parallel, in an consistent, automated fashion, you want Orchestra
[15:18] <kirkland> philpem: if you want "simple" KVM creation/deletion from a GUI, virt-manager is the best there is
[15:18] <kirkland> philpem: if you want something much more graphical, have a look at VirtualBox
[15:19] <philpem> I just want an easy way to create a bunch of similar-or-identical build server VMs, LAMP servers and so on for different things. perhaps virtualbox would be a better option.
[15:21] <philpem> and if virtualbox + phpvirtualbox + orchestra is that solution, then great.
[15:21] <pmatulis> philpem: use virt-manager
[15:23] <philpem> pmatulis, and just install from ISO instead of using Orchestra? (seeing as virt-manager + KVM doesn't seem to allow PXE, and Orchestra appears to require PXE to install)
[15:23] <pmatulis> philpem: i install from pxe all the time with virt-manager
[15:24] <pmatulis> philpem: i think you're over-engineering yourself
[15:24] <philpem> very possibly :)
[15:24] <pmatulis> !info kvm-pxe | philpem
[15:53] <rbasak> SpamapS: around?
[15:55] <SpamapS> rbasak: yes but I will be disappearing to take son to daycare in about 20 minutes
[15:55] <rbasak> OK, I'll be quick
[15:56] <rbasak> just want to check on something
[15:56] <rbasak> bug 858860, cobbler users.digest world-readable, already fixed in precise
[15:57] <rbasak> I included it in a security fix reviewed by the security team in bug 858878, Tyler would like the fix to also apply to the upgrade path
[15:57] <rbasak> I figure that the fix needs to go into precise too, so it would make sense to do that first
[15:57] <rbasak> I've just written http://paste.ubuntu.com/792803/ (untested). Is that sensible to push for precise, or would there be a better way of doing it?
[15:58] <rbasak> Then I figure I can do the same for security but just change the version it compares against
[16:00] <SpamapS> rbasak: sorry got pulled away.. reading
[16:01] <rbasak> ok. the paste is a new debian/cobbler.preinst file
[16:02] <SpamapS> rbasak: that looks good... assuming the version mentioned is the absolute last version that had the problem. Might be better to do "lt" the version that fixed it.
[16:02] <rbasak> thanks, lt sounds better, I'll do that
[16:16] <philpem> hm.. DHCP doesn't appear to be working for the virtual machines.
[16:16] <philpem> I can see BOOTP/DHCP packets on virbr1, but there's no DHCP server response
[16:17] <philpem> which DHCP server does Orchestra use? I can see it uses Dnsmasq, but it doesn't appear to configure it...?
[16:26] <philpem> ok, it uses dnsmasq, but Cobbler sets it up a bit differently (obliterates the config and replaces it with its own). need to edit Cobbler's template so that it doesn't stomp all over my LAN DHCP server
[16:26] <philpem> it did, however, boot very nicely into the VM :)
[16:26] <philpem> and autoconfig works brilliantly
[16:27] <philpem> /etc/cobbler/dnsmasq.template -- add "interface=virbr1" near the top
[16:38] <andreserl> philpem, yeah in order get cobbler's DNS/DCHP features working with orchestra, yous hould have been asked that question upon installation
[16:41] <philpem> I was, but it started listening on eth0 and confused the hell out of my network server!
[16:41] <philpem> after changing the template file to listen on virbr1, it works fine
[16:42] <philpem> next step will be to add a 2nd ethernet interface and attach it to the LAN
[16:42] <zul> ttx: http://paste.ubuntu.com/792852/
[16:43] <ttx> zul: did you add nova-rootwrap to your sudoers ?
[16:43] <ttx> nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap
[16:43] <ttx> see http://wiki.openstack.org/Packager/Rootwrap
[16:44] <zul> ttx: yep i did
[16:45] <ttx> zul: well, apparently running "sudo nova-rootwrap iptables-save -t filter" as the nova user asks for a password on your system
[16:45] <ttx> while it shouldn't, if that line is in your sudoers file
[16:46] <ttx> looks like a bug in your setup, or in sudo :p
[16:46] <ttx> (worked well back when I tried, though)
[16:46] <RoAkSoAx> philpem: could you please file a bug report at https://bugs.launchpad.net/ubuntu/+source/orchestra/+filebug describing your issues and the process you followed to change the interface so it gets documented and I can make it work automatically (or request the interface to use on configuration)
[16:47] <philpem> RoAkSoAx, certainly.
[16:47] <RoAkSoAx> philpem: awesome, thank you!
[16:47] <zul> ttx: damn it i know whats wrong
[16:51] <zul> ttx: i suck
[16:52] <philpem> Hmm. It installed without asking me what I wanted to set as a username and root password. Nice.
[16:53] <RoAkSoAx> philpem: ubuntu/ubuntu and we are aware of that and we will work on it once we decide how is best ;)
[16:54] <philpem> :)
[16:55] <philpem> what I might do is rig up a provisioning script... create VM, wait for it to call in, SSH in as ubuntu/ubuntu, then sudo, create user accounts depending on the machine's role, disable the ubuntu user, set up PPAs and repositories and log out.
[16:55] <philpem> though I suspect most of that can be done with.. what are they called, kickstart scripts?
[16:56] <philpem> instructions to the installer along the lines of "I want you to do this, don't ask me, just do it."
[16:56] <RoAkSoAx> philpem: in debian/ubuntu we use preseed's and can probably be done with late_commands
[16:56] <RoAkSoAx> adam_g: let me know when you are around
[16:58] <GrueMaster> Daviey, rbasak:  Just saw server meeting notes re: ARM kernel issues.  I am already doing weekly precise (armel &armhf) installs on Panda and running the full QRT kernel test suite.  I am setting it up to run more autonomously in my jenkins setup.  If you have any questions or other tests, let me know.
[16:59] <GrueMaster> I am also ramping up to automate as many of the tests that I ran in O for server as possible.
[16:59] <rbasak> thanks GrueMaster
[17:00] <rbasak> arosales: ^^
[17:01] <arosales> GrueMaster: good stuff, thanks
[17:02] <Daviey> neat
[17:05] <philpem> RoAkSoAx, https://bugs.launchpad.net/ubuntu/+source/orchestra/+bug/911873
[17:07] <philpem> I seem to be doing rather a lot with Launchpad these days... two bugs filed in a week (one kernel build system, now a feature-req for Orchestra) and my first PPA... :)
[17:09] <philpem> I really should port those fixed Debian linux-GPIB packages to Ubuntu... hm.
[17:16] <RoAkSoAx> philpem thanks will work on it thus week :)
[17:17] <philpem> RoAkSoAx, looks like virt-manager may have some issues with the way Orchestra works... dnsmasq is getting very upset. going to try a reboot and see if it behaves
[17:18] <philpem> more specifically, virt-manager is spitting out dnsmasq errors when i create network interfaces
[17:18] <philpem> Error starting network 'PXEReload': internal error Child process (dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/PXEReload.pid --conf-file= --except-interface lo --dhcp-option=3 --listen-address 192.168.100.1) status unexpected: exit status 2
[17:18] <philpem> drat.
[17:21] <RoAkSoAx> philpem: uhmmm but if you are running dnsmasq with orchestra + libvirt with dnsmasq it will most likely cause issues
[17:21] <philpem> thing is libvirt SHOULDN'T be running dnsmasq at all
[17:22] <RoAkSoAx> philpem: you might wanna take a look to: https://code.launchpad.net/~smoser/+junk/cobbler-devenv
[17:22] <philpem> DHCP is disabled in virt-manager. Orchestra should have it enabled so I can do PXE reinstalls, but it most definitely shouldn't be enabled for that interface
[17:22] <RoAkSoAx> philpem: try sudo cobbler sync
[17:23] <philpem> just seems to crash when I run it
[17:23] <philpem> if I ctrl-C it, I get "httpd does not appear to be running and proxying cobbler"
[17:24] <RoAkSoAx> philpem: sudo cobbler sync? can you pastebin the output
[17:24] <philpem> RoAkSoAx, no output -- http://paste.ubuntu.com/792888/
[17:26] <philpem> the KVM virtual network interface isn't even up... huh?!
[17:26] <RoAkSoAx> philpem: that's pretty weird. can you pastebin /var/log/cobbler/cobbler.log
[17:27] <philpem> http://paste.ubuntu.com/792894/
[17:28] <RoAkSoAx> philpem: seems that the change made in dnsmasq.template is not correct
[17:29] <RoAkSoAx> philpem: as for the output it seems that it's a dnsmasq issue that apparently might have killed cobbler
[17:29] <philpem> ugh
[17:29] <RoAkSoAx> or there's an invalid parameter being passed to dnsmasq
[17:29] <philpem> and the changes cobbler made might have killed the virtual network stuff
[17:29]  * philpem goes to find a keyboard and a display
[17:30] <RoAkSoAx> philpem: cobbler won't really mess up with any virtual network stuff
[17:30] <RoAkSoAx> philpem: it will start/stop dnsmasq but if dnsmasq fails to start, then cobbler should continue to run successfully
[17:31] <RoAkSoAx> philpem: but in the log,there's a dnsmasq output for -h, which means there's a invalid/not known option b eing passed to it that causes dnsmasq to output the help
[17:31] <RoAkSoAx> the help menu
[17:35] <philpem> ok, this is really really weird.
[17:35] <philpem> I just removed that line from dnsmasq.conf and reverted the template (knew there was a reason I kept /etc under version control)
[17:36] <philpem> virt-manager reports all VM interfaces as down, ifconfig says they don't even EXIST.
[17:36] <philpem> try and bring up PXENetwork and I get:
[17:36] <philpem> Error starting network 'PXEReload': internal error Child process (dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/PXEReload.pid --conf-file= --except-interface lo --dhcp-option=3 --listen-address 192.168.100.1) status unexpected: exit status 2
[17:37] <RoAkSoAx> philpem: that's maybe libvirt?
[17:38] <philpem> oh this IS interesting. 'sudo killall dnsmasq' and it works fine.
[17:39] <philpem> this would seem to explain the issue -- https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/500484
[17:39] <philpem> now how to fix it?!
[17:40] <RoAkSoAx> philpem: so you are using orchestra in the host to provision VM's only?
[17:40] <philpem> yeah
[17:40] <philpem> "The above workarounds only work if you also set "bind-interfaces" in /etc/dnsmasq.conf, otherwise dnsmasq binds to the wildcard address."
[17:40]  * philpem has a sneaky plan
[17:41] <RoAkSoAx> philpem: well I currently run orchestra as a VM to deploy VM's and let libvirt handle dnsmasq
[17:41] <philpem> ah.
[17:42] <philpem> I was running Orchestra on the VM host, alongside libvirt
[17:43] <RoAkSoAx> philpem: I do have an orchestra server on a VM host, but I don't manage dns,dhcp
[17:44] <philpem> hm, it seems the problem is virt-manager doesn't let you specify PXE/bootp parameters in the network settings, so you can't make it bring new VMs up from cold
[17:46] <RoAkSoAx> philpem: but libvirt does.
[17:47] <RoAkSoAx> philpem: <bootp server="$all_systems.cobbler.ipaddr" file="pxelinux.0" />
[17:47] <RoAkSoAx> philpem: you might be interested in: lp:smoser/+junk/cobbler-devenv
[17:48] <RoAkSoAx> philpem: once you setup that, you can use install orchestra in the cobbler VM
[17:48] <RoAkSoAx> philpem: that's what I use, but we haven't had time to update that to use orchestra by defauklt
[17:49] <philpem> "starting kvm... FAIL". yay.
[17:51] <philpem> grr. had a stray left over in /etc/dnsmasq.d from my earlier attempts with kvm.
[17:53] <philpem> hm. dnsmasq is bringing up the libvirt interfaces now.
[17:54] <philpem> but libvirt keeps running it even though DHCP is disabled on that interface!
[17:59] <RoAkSoAx> uhmm interesting
[17:59] <RoAkSoAx> philpem: you might wanna consult that with hallyn
[18:00] <zul> adam_g: around?
[18:06] <philpem> ok, so the workaround is to either NAT the thing, or edit the XML files to bridge my "local LAN" interface to eth0
[18:06] <philpem> blehhh...
[18:15] <indstry> When adding a second drive to my fstab conf file,  I first create a mount point dir.  When creating that dir what permissions should i set?  would permissions on the drive itself override the mount points permissions?
[18:16] <zul> Daviey: ping
[18:20] <adam_g> zul: yo
[18:20] <adam_g> RoAkSoAx: yo
[18:21] <zul> adam_g: im switching over the nova_sudoers to use the nova-rootwrap, its been tested i just had to add a patch that has been fixed upstream
[18:21] <RoAkSoAx> adam_g: yo! man! So I tried to reproduce bug #908895... with no success
[18:22] <adam_g> RoAkSoAx: weird, gimme a few and ill make sure i can still reproduce
[18:22] <adam_g> zul: cool. if its been fixed upstream wont the patch be unecessary after the next snapshot?
[18:23] <RoAkSoAx> adam_g: are you setting the *system* name to precise-x86_64?
[18:23] <zul> adam_g: yeah it wont be needed, but they are having devstack pypi issues right now
[18:24] <adam_g> RoAkSoAx: im doing nothing special, installing, importing isos, booting something and selecting an entry off the menu
[18:25] <Daviey> zul: hola
[18:25] <zul> Daviey: nova has libguestfs support now is that something we should look at?
[18:25] <RoAkSoAx> adam_g: 1. downloaded iso. 2 imported it. 3. created a system selecting that profile, 4. installation doesn't fail
[18:26] <RoAkSoAx> adam_g: the hostname gets inherited from the system name if it is not set
[18:27] <Daviey> zul: interesting, this came up a while ago IIRC
[18:27] <Daviey> as a standalone thing.
[18:27] <Daviey> I think we should certainly investigate
[18:27] <Daviey> Out of interest zul, how are MIR's looking?
[18:28] <philpem> ok, it looks like to get this working, i need to set the bridge up manually.
[18:28] <adam_g> RoAkSoAx: right. id love to have it totally usable out of the box for non-juju installs, though, without worrying about enlistment.. if its just a matter of changing 1 character
[18:28] <zul> keystone MIR has been thrown back over the wall and horizon has been cleaned up so that I can start writing the mir
[18:28] <philpem> so I have br0 for the LAN and pxebridge to netboot the virtual machines
[18:28] <adam_g> RoAkSoAx: tho i suppose it wouldn't matter when the whole enlistment thing comes together. still think the default profiles should be bootable/installable regardless
[18:29] <philpem> that SHOULD stop libvirt interfering
[18:29] <Daviey> zul: \o/
[18:29] <pmatulis> philpem: are you still struggling with setting up a few guests on kvm?
[18:29] <philpem> just about fixed it actually
[18:29] <pmatulis> philpem: you don't need orchestra for that
[18:29] <RoAkSoAx> adam_g: right, but this works out of the box for non-juju installs. The hostname is not inherited from the profile name
[18:31] <RoAkSoAx> adam_g: if a system points to a profile, the hostname is inherited from the *system* name not, from the *profile* name
[18:31] <adam_g> RoAkSoAx: no, it doesn't unless the system has been enlisted
[18:32] <RoAkSoAx> adam_g: right, but what i'm saying is: In order to be able to have a cobbler *system* then it has to point to a cobbler *profile*
[18:33] <RoAkSoAx> adam_g: but yes, now i'm seeing your point when you are trying to deploy *from* a cobbler profile
[18:34] <adam_g> RoAkSoAx: yeah, i understand.  if there is no system configured, the menu presents user with a bunch of profiles, those should be bootable/installable.
[18:34] <RoAkSoAx> adam_g: yes they are, though your bug description should have made that differentiation :)
[18:35] <RoAkSoAx> more explicitely
[18:35] <adam_g> RoAkSoAx: i put together a new file server over the holiday. thoguth to myself, "oh! ive got this orchestra server ive been using for the last month to do dev work,ill just boot and install from there" it would have been awesome to just boot, choose precise, install.. w/o worrying about enlisting/macaddr/etc.
[18:36] <RoAkSoAx> adam_g: yes yes, I know what you mean now. You are booting of a profile, not of a system (speaking within cobbler terms)
[18:37] <philpem> oops. set up a bridge in /etc/network/interfaces and forgot the options to SAY it's a bridge.
[18:38]  * philpem waits patiently for the server to give up trying to bring up an interface called 'vmpxe' which doesn't exist...
[18:39] <adam_g> zul: are you talking about patching nova with the root wrapper stuff for precise, or oneiric/diablo?
[18:39] <zul> precise
[18:40] <adam_g> zul: ahh. is it getting cherry picked from master or from a patch thats still in gerrit review?
[18:41] <RoAkSoAx> adam_g: so I just selected precise-x86_64 off the PXE Menu and so far so good
[18:41] <zul> adam_g: still being reviewed: https://review.openstack.org/#change,2787
[18:43] <adam_g> zul: ah
[18:43] <adam_g> RoAkSoAx: weird. i haven't tried again with my setup. i will in a few
[18:43] <RoAkSoAx> adam_g: i have an installation error with grub but nothing about the hostname
[18:48] <philpem> woo! it works! :)
[18:49] <pmatulis> what does?
[18:49] <RoAkSoAx> philpem: awesome
[18:50] <adam_g> RoAkSoAx: if you still have the error'd system, can you check what its got for a hostname?
[18:50] <philpem> basically, you can't use the Routed or NAT interfaces because they start DHCP.
[18:50] <philpem> what you have to do is configure a network bridge for PXE manually, in /etc/network/interfaces
[18:51] <philpem> then run Orchestra on that interface, and tie the VMs to it
[18:51] <pmatulis> philpem: so this is a limitation of orchestra?
[18:52] <philpem> pmatulis, partly.
[18:52] <philpem> Orchestra won't let you tell it "I want you to ONLY listen on interface blah" -- it listens on ALL interfaces unless you edit the dnsmasq templates.
[18:52] <philpem> then run 'sudo cobbler sync'
[18:53] <philpem> Libvirt doesn't do bridging like VirtualBox does -- VBox asks you to nominate the ethernet adapter you wish to bridge to. KVM/Libvirt/virt-manager expects you to set up the bridge in /etc/network/interfaces, then specify the name in the virtual machine config
[18:55] <adam_g> zul: tftp-hpa is broke :(
[18:55] <zul> adam_g: dist-upgrade please :)
[18:56] <pmatulis> philpem: i routinely tell virt-manager to use my host's bridge
[18:56] <pmatulis> when i set up a guest
[18:59] <RoAkSoAx> adam_g: ok, I was able to reproduce it. For some reason ym setup was using a different hostname than the the profile name
[18:59] <RoAkSoAx> adam_g: ok so I will replace all _ with -
[19:00] <adam_g> zul: whats supposed to get upgrade to help? it looks like a bad upstart conf: start: Unknown job: tftpd-hpa
[19:00] <adam_g> RoAkSoAx: ahh
[19:00] <zul> adam_g: it was a bad upstart stanza which one are you using?
[19:00] <zul> ubuntu2 or ubuntu3
[19:00] <adam_g> 5.1-3ubuntu2
[19:02] <adam_g> RoAkSoAx: should we also rename existing release profiles on upgrade? via cobbler profile rename should be safe
[19:02] <zul> ok there is an ubuntu3 which fixes that
[19:02] <adam_g> zul: ah, updating my mirror
[19:03] <zul> adam_g: k
[19:03] <adam_g> back in 10min
[19:03] <RoAkSoAx> adam_g: you mean while updating the already imported iso's?
[19:08] <philpem> hmm, OK, there is one issue with the install.... it can't handle the concept of having two Ethernet adapters.
[19:09] <philpem> One ends up configured (the one used to PXE from), the other (the LAN I/F) does not.
[19:11] <RoAkSoAx> adam_g: so this is the change needed if you wanna test it: http://paste.ubuntu.com/793002/
[19:13] <RoAkSoAx> philpem: yes, unfortunately we cannot handle that in the preseed as we could with kickstarts. But you will have to look into late_commands. Also, if you want to file a bug report about it would be great
[19:13] <philpem> it *looks* like it doesn't use persistent-eth either.
[19:14] <philpem> and the rule for assigning eth numbers is that eth0 gets the lowest MAC address... or something along those lines
[19:15] <RoAkSoAx> right, but in regular bare metal installations its always gonna be the same MAC ;)
[19:15] <philpem> :)
[19:16] <philpem> i usually swap the ethN IDs around in /etc/udev.d/70-persistent-eth
[19:19] <philpem> I might have to save this scrollback for future reference :)
[19:21] <adam_g> RoAkSoAx: ah, cool. that looks a lot cleaner than what i was thinking
[19:26] <bitmonk> hey guys are there any kernel backports to lucid in a ppa somewhere? or examples of .config for -server oriented kernels? we need newer megaraid driver than lucid kernel has, and the last kernel someone built here is having stability issues under some workloads.
[19:43] <hallyn> stgraber: do I remember incorrectly that you enabled libcgroup uploads for me?
[19:43] <stgraber> hallyn: I thought I did yes. Looking...
[19:44] <hallyn> stgraber: was trying to upload with http://people.canonical.com/~serge/libcgroup.rm.debdiff applied, but it came back saying I had insufficient perms
[19:45] <stgraber> hallyn: could be that the ubuntu-server package set is autogenerated and libcgroup was lost with the last update. That or LP tried to fix the package set mess they created early in the cycle and that got dropped
[19:45] <stgraber> hallyn: anyway, I added it again now
[19:46] <hallyn> stgraber: thanks.  guess we'll find out in awhile if it is getting auto-regenerated :)
[19:46] <stgraber> if it's auto-generated, I'm not exactly sure why lxc would be in the ubuntu-server package set and not libcgroup which is part of its recommends
[19:47] <hallyn> was lxc in there?
[19:47] <stgraber> yeah, I checked and lxc is in the package set
[19:47] <stgraber> maybe lxc should be promoted to main at some point, as we seem to recommend it everywhere :)
[19:48] <hallyn> stgraber: btw a bug raised by smoser reminded me that devpts is worse off than i thought, and to our apparmor security mitigations for lxc concerns we need to add 'mount -t devpts devpts /mnt' from a container, which will give it the host's devpts
[19:48] <stgraber> then we'll have a very good reason to ensure libcgroup is in the ubuntu-server packageset (and stays there)
[19:48] <hallyn> true.  it's been awhile since lxc MIR was rejected.  Wonder if how it woudl fare now
[19:48] <hallyn> i coudl see it being rejected on the basis that "we already have libvirt-lxc"
[19:48] <hallyn> which would sink juju-lxc of course
[19:49] <stgraber> hallyn: yeah, that's the same problem I had before I patched mountall where devpts would get remounted and mess with the host. It's indeed pretty bad when someone does it on purpose.
[19:49] <stgraber> hallyn: I'm not sure how much flexibility apparmor will give us, but ideally I'd only allow perfectly safe filesystems (if that even exists) and loop mounting
[19:52] <stgraber> hallyn: looking at what gets mounted by mountall, I'd at least add binfmt_misc, debugfs and securityfs to the list of stuff we don't want
[19:53] <stgraber> for devpts, we'd also have to prevent the container from unmounting the ones we mount when we create the container
[19:54] <hallyn> we wouldn't have to if lxc made sure pre-the host's devpts was umounted before startup
[19:54] <hallyn> good point, i'll add binfmt_misc to the list on the wiki page  (the others i'd added yesterday)
[19:57] <hallyn> stgraber: finally (i assume we'll be chatting next week? :)  I've been trying to push Daniel to push the kernel patch for reboot, but we may have to go beg smb to take the patch as it stands
[19:57] <hallyn> (it has sign-off by Oleg, so I see no problems...)
[19:58] <stgraber> hallyn: yeah, missing that patch is currently making my containers to fail at shutdown (I'm running the patched mountall and without /etc/init/lxcmount.conf) and it's really the next step to get rid of lxcguest
[19:59] <hallyn> stgraber: somebody go tell linaro they're working him too hard :)
[19:59] <stgraber> I'll definitely have some time to discuss lxc next week, I guess we'll just need to go buy a pack of beer for smb and we'll be good for our patch ;)
[20:02] <hallyn> crossing my fingers...
[20:21] <philpem> Question re. Orchestra. If I do a bare metal install on a VM, are the VMs supposed to register themselves with Nagios?
[20:22] <philpem> Because Nagios Admin is only showing me what appears to be the VM server itself (calling itself "localhost")
[20:25] <philpem> Cobbler can obviously see that the VM is up though, because it turned netboot off...
[20:27] <g00gle> I would like to install ZendTo (http://zend.to) and I have the x64 version of Ubuntu, however - in order for php to handle downloads / uploads of 2GB+ I need to complie php for x64... is this something you guys can help me with? is there such a package in the ubuntu repositories for x64 PHP...?
[20:28] <TJ___> Hello
[20:29] <TJ___> Does anyone know if a LEMP stack will ever be one of the install options?
[20:31] <philpem> TJ___, LEMP?
[20:31] <TJ___> linux, nginx, mysql, php
[20:31] <TJ___> as opposed to LAMP
[20:32] <jmarsden|work> I see no letter "E" in nginx ... ?
[20:32] <mgw> hey, i have a question regarding cobbler+dhcp (isc): If I have two interfaces (e.g., two VLANs) with the same MAC address, only one of them ends up in dhcpd.conf
[20:32] <TJ___> it's because nginx is pronounce engine-x
[20:32] <jmarsden|work> So either rename it to that, or ask for an LNMP stack :)
[20:33] <mgw> manually adding the second interface to dhcpd.conf works fine though
[20:35] <mgw> i think it's a bug, as it lets me add them to cobbler
[20:37] <TJ___> Well then, does anyone know if a LNMP stack is being worked on? I hear nginx can be better for hardware-limited machines.
[20:37] <TJ___> as one of the install options in tasksel that is.
[20:38] <jmarsden|work> Sounds like a trivial patch to tasksel, but whether there is enough interest from people who can't just sudo apt-get install nginx mysql php5 , I don't know.
[20:42] <g00gle> I'm trying to follow this: http://zend.to/phpfix.php and keep running into issues when I use the source from apt-get source .... any suggestions?
[20:48] <philpem> jmarsden|work, AIUI Nginx is pretty niche-market at the moment. It is in the repos, though.
[20:48] <philpem> So setting it up wouldn't be hard.
[20:49] <philpem> If you're doing it on a lot of machines you might want to write instructions, an automated script (e.g. Python) or a package to set everything up, but that's it.
[20:49] <jmarsden|work> philpem: Right, so I think it is more of a marketing "do we want this option in tasksel" question than a technical one.  And I'm more techie than marketing :)
[20:49] <philpem> LAMP is, at least at the moment, the standard and I think you'll find it hard to overcome the inertia that it's built up.
[20:51] <philpem> Also if you're at the point of using Nginx over Apache, you'll probably want to do the setting tweaks manually anyway (unless you have a box of identically configured machines, in which case... break out a SysRescCD image, a USB hard drive and a copy of PartImage)
[20:57] <shade34321> hey...this is probably a stupid question but I can't seemt to find my answer, probably because I'm looking for the wrong thing. Essentially what we've just found out is that our webserver is allowing people to go through the folders and access content that is not allowed to be accessed w/o login credentials and then only certain people are allowed to see certain things.
[20:57] <shade34321> how can I get it set up correctly to do this? Also I took this system over almost a year ago just haven't had time to play with it much and hence why I haven't found it before...thanks for the help
[20:59] <philpem> shade34321, Htaccess / Htpasswd is one way to do it
[20:59] <shade34321> and the site is usiing drupal for the front end along with some trac
[20:59] <philpem> and "Options -Indexes" in your htaccess will stop it generating directory indexes where there is no index.{php,html}
[21:00] <shade34321> hmm..I will look into that, haven't looked/touched that in awhile but would that change anything in my current set up?
[21:00] <philpem> well, Options -Indexes would replace the directory listings with a 403 Forbidden error.
[21:01] <philpem> so if you go to http://foobar.local/images -- where you'd normally get a list of everything in /images, you just get a 403
[21:01] <shade34321> ok
[21:01] <shade34321> ill do that real quick
[21:02] <philpem> the htaccess/htpasswd stuff would pop up a password requester whenever someone wanted to browse either the entire site or a specific directory (depending on where you put the .htaccess file)
[21:02] <philpem> and for the love of $DEITY, don't put the htpasswd file in public_html! put it somewhere else that Apache can see, but that Apache won't serve to the world
[21:02] <shade34321> lol
[21:03] <philpem> otherwise someone can download the htpasswd file, then crack the password hashes....
[21:03] <shade34321> i may actually take the site down for a week or so to paly with this because accroding to the ubuntu docs htaccess is not the preferred way
[21:03] <philpem> I usually mkdir /var/htpasswds and put them in there
[21:03] <philpem> I'm suggesting quick ways to tighten up a site, i thought that's what you wanted :)
[21:04] <shade34321> yup....right now quick
[21:04] <philpem> but yeah, grab the Ubuntu Server Guide and read through the section on Apache.
[21:04] <shade34321> and then fix it for good
[21:04] <philpem> the base install is usually fairly tightly locked down.
[21:04] <shade34321> (my philosphy in life...fix it quick then go back and do the shit right:)
[21:05] <philpem> if you're running PHP, Suhosin is worth turning on (it's a security-hardening extension which makes it less likely that a hole in a PHP app will allow the server to be rooted).
[21:05] <philpem> Ubuntu ship it by default, but make sure it's still enabled...
[21:05] <philpem> if someone's turned directory indexes on, there's no telling what else has been done.
[21:06] <shade34321> when i took this job the exiting admins told me google was my best friend and that was my training, we're all college students btw
[21:13] <philpem> shade34321, that is... shocking and yet not surprising.
[21:14] <shade34321> lol...which part the google stuff or we're college students?
[21:14] <philpem> the google stuff
[21:14] <shade34321> lol...it's very annoying
[21:15] <philpem> though to be honest, six years ago I took over a webhosting company (which still isn't making a profit but that's another story). never did a single Zend PHP course or anything.
[21:15] <shade34321> well congrats on making it so far:)
[21:15] <philpem> in six years I've learned enough to bring up a server from scratch, clean up a hacked server, trace intrusions and find out *exactly* what happened...
[21:16] <philpem> this is the sort of thing that's learned best as.. well, an apprentice really.
[21:16] <shade34321> lol
[21:16] <shade34321> yes it is
[21:16] <philpem> find someone who knows what they're doing and get them to teach you. kinda like what happened with blacksmiths, glassblowers and so forth :)
[21:16] <shade34321> luckily for me I have a bunch of friends who are smarter than I am so i grill them whenever I can...but alas they have work just like i do
[21:16] <shade34321> so time is always an issue
[21:17] <philpem> Well, we're all friendly in here. More friendly than most of the trolls in #ubuntu anyway :)
[21:17] <shade34321> that and they can't be allowed access to our systems...some national security stuff:(
[21:17] <philpem> Say no more.
[21:17] <shade34321> lol...and #centos:)
[21:18] <shade34321> (we use primarily RHEL systems with some other distros so I ask #centos a lot of questions just to find it on google hours later and nobody answered it)
[21:18] <philpem> if those machines are running RHEL, make use of the RedHat support contract :)
[21:19] <philpem> but my server (the web hosting one) is Centos + CPanel, so I know how that works.
[21:19] <philpem> hint: I spent nearly a day securing the stupid thing. on ubuntu it took 20 minutes, and most of that was ticking stuff off my checklist...
[21:19] <shade34321> i would love to but alas I don't have any of the info or the credentials to get the info,  I work for my school and so we have a plethora of RHEL support
[21:19] <shade34321> been working on trying to get it though
[21:19] <philpem> "disable directory indexes... oh, it's already off. check."
[21:20] <philpem> "set PHP to log errors to the apache error log... already done."
[21:20] <shade34321> lol
[21:21] <Folklore> whats the max number of connections
[21:21] <Folklore> ubuntu server can handle by default
[21:22] <Folklore> also is there a command to check that
[21:22] <guntbert> Folklore: what sort of connections?
[21:24] <Folklore> TCP
[21:24] <Folklore> since UDP is connectionless :P
[21:24] <Folklore> and others aren't on my radar
[21:26] <guntbert> Folklore: you will likely reach the individual limit of any server before you reach the OS's limit
[21:27] <Folklore> individual limit?
[21:28] <guntbert> Folklore: about what kind of server programs are we talking?
[21:28] <amstan> i'm trying to scp a lot of data over gigabit, but it seems like the cpu on my server's the bottleneck
[21:28] <amstan> i suspect it's the encryption
[21:28] <amstan> how can i disable it?
[21:28] <guntbert> Folklore: and please use my nick, so I get alerted to your answer
[21:28] <amstan> or pick a better cypher(which)
[21:29] <Folklore> ubuntu server
[21:29] <Folklore> GUNTBERT
[21:29] <guntbert> !tab | Folklore
[21:29] <Folklore> you assume i'm using the same client as you
[21:29] <Folklore> :p
[21:30] <guntbert> Folklore: ubuntu server, yes of course but you are talking about connections, so you will have some server programs running (httpd, smptd,...)
[21:31] <Folklore> well i'm using thread pool and epoll
[21:31] <Folklore> so unless a new file handle(socket handle) takes up lot of mem
[21:31] <Folklore> I want to see how far I can push the server limit, so do you know the default setting
[21:31] <Folklore> and the memory usage
[21:32] <philpem> drat. it looks like the install image uses the PXE source as eth0 and doesn't bother setting up eth1 :(
[21:32] <guntbert> Folklore: it seems I don't understand what you are trying to do at all - so I'm obviously the wrong person to help you :)
[21:39] <Folklore> guntbert
[21:39] <Folklore> I want a simple simple server that can handle x number of tcp connections
[21:40] <Folklore> my question is what the default of limit is
[21:40] <Folklore> *os limit
[21:40] <Folklore> and possibly want kinda memory i'm looking at per connection
[21:41] <Folklore> not taking into account the memory I allocated, just from the connection itself, memory used at kernel level or whatever
[21:42] <guntbert> Folklore: I don't know of any hard coded limit - and as for the memory - the biggest part will be the buffer (I guess, with a lot of hand waving...)
[21:48] <Folklore> thanks
[21:48] <Folklore> guess only way to find out, is to find out heh
[21:48] <Folklore> and test
[21:58] <RoyK> Folklore: check the tunables under /proc/sys/net
[21:59] <RoyK> Folklore: current kernels (that is, recent as in the latest five years or so) will have reasonable defaults for more use
[22:01] <RoyK> Folklore: read http://fasterdata.es.net/fasterdata/host-tuning/linux/ or just google linux network tuning
[22:01] <RoyK> [rw]mem can be worth tuning
[22:02] <RoyK> and make sure you have a nic and driver that supports checksum offloading
[22:03] <nxvl> adam_g: ping
[22:08] <adam_g> nxvl: pong
[22:08] <nxvl> adam_g: i've been pointed at you to get some cloud deployment docs?
[22:08] <nxvl> adam_g: did you have those somewhere i can see them?
[22:10] <adam_g> nxvl: the only stuff i can point you to is whats been published on blogs last cycle. exactly what are you deploying?
[22:11] <nxvl> adam_g: a private cloud
[22:11] <nxvl> adam_g: and i have not much idea on how to do that
[22:13] <adam_g> nxvl: if you mean ubuntu + openstack, take a look at the series at http://cloud.ubuntu.com/2011/10/ubuntu-cloud-deployment-with-orchestra-and-juju/
[22:14] <nxvl> that one
[22:14] <nxvl> awesome, thanks
[22:15] <adam_g> nxvl: np. thats a bit outdated but should get you going. if you make it as far as https://wiki.ubuntu.com/ServerTeam/UbuntuCloudOrchestraJuju and run into problems ping me again. there are a couple more charms you'll need to checkout and deploy if doing this on precise
[23:24] <Aison> when I turn of my ubuntu server, I allways get the message: system halted but in fact it's not turned of
[23:24] <Aison> why?
[23:32] <philpem> I'm using Orchestra to deploy servers. Each server has two NICs, both need to be enabled in DHCP mode. How do I make the installer enable the second one ready for the first boot?
[23:33] <Folklore> maybe echo DHCP=YES >> /etc/rc.conf
[23:33] <Folklore> or add it manually
[23:34] <Folklore> nano /etc/rc.conf
[23:35] <philpem> well, it's bringing the one it used to PXE-boot up (with DHCP) but not the second one
[23:35] <philpem> so I end up with eth1 active, and eth0 sitting idle.
[23:37] <Folklore> try
[23:37] <Folklore> ./etc/rc.d/dhcp start
[23:37] <Folklore> without .
[23:51] <shade34321> hmm...so my web server is allowing access to the directory view yet everything I can think of to disable this is failing. If I go to the base url I see the home page yet if I go to the file manager I can edit the url and eventually get to the root of the websites folder structure. Any ideas of what I'm missing?
[23:52] <shade34321> I've trying to edit the .htaccess, get a new version of the .htaccess file, edit the virtual hosts file