/srv/irclogs.ubuntu.com/2012/02/06/#ubuntu-server.txt

=== Lcawte is now known as Lcawte\|Away
=== Lcawte\|Away is now known as Lcawte
=== Lcawte is now known as Lcawte\|Away
Thermionix	yo, quick question - I setup 12.04 server alpha 2 the other day, and it has linux-image-3.2.0-12-generic instead of linux-image-server	03:58
patdk-lap	yep	03:59
Thermionix	is that meant to be?	04:01
dravekx	I'm trying to setup a bash script to add user accounts. I think I'm doing it wrong. anyone give me a hand? http://pastebin.com/28VkfHNL	04:18
twb	Thermionix: the latter probably depends on the former	04:18
twb	dravekx: yes, that is wrong	04:19
twb	Second line should be "adduser $i sftponly".	04:20
dravekx	ah	04:20
twb	You should have a set -e and a trap to report it, so that the script will abort on errors instead of carrying on regardless.	04:20
twb	set -eEu; set -o pipefail; trap 'echo >&2 "$0: unknown error"' ERR	04:20
twb	Line (4) should probably be an argument to the first adduser	04:21
twb	Lines 6 through 8 should be an install(1) call, and line (5) should probably be recursive.	04:21
twb	You should also ensure that e.g. PHP evaluation is disabled in such users' public_html dirs	04:22
twb	Oh, and htaccess, although IIRC that is off in the default configuration for those dirs	04:22
twb	Further discussion should be directed to #bash (for scripting) and #httpd (for apache httpd).	04:23
dravekx	I need php in userdirs. they have php apps. :S	04:23
twb	dravekx: they should probably have separate jails then	04:23
twb	dravekx: talk to the #httpd people about best practice; my policy is simply "no PHP on my system at all"	04:23
dravekx	they are jailed in the public_html folders.	04:23
dravekx	k	04:24
twb	dravekx: SSH is but not http, I expect	04:24
twb	i.e. they write and upload a PHP program, that PHP program when run won't be jailed by the sshd_config	04:24
dravekx	ah really? I didn't know that.	04:24
dravekx	lots to learn then. lol.	04:25
=== kees_ is now known as kees
Thermionix	anyone think its worth setting up mcelog? running a c2d processor kernel 3.2 x64	06:57
sectionme	Anyone know of an options for nfs exports to allow nesting of mounts on the server-side, eg. /exports/work/{project1,project2,project3} which say project2 is on a different mount point, currently it gets exported as the empty directory as if it wasn't mounted, nohide doesn't seem to solve the issue.	07:03
renagadexx	I can't get a stupid damn subdomain to work with apache2. I've added virtual hosts to httpd.conf and I'm pretty sure the DNS is configured properly, but I keep getting 500 errors every time I go to the subdomain.	07:23
renagadexx	Any ideas why?	07:23
twb	Thermionix: IME no	07:23
greppy	renagadexx: anything in the logs?	07:24
renagadexx	yeah, want me to pastebin?	07:24
=== Skaag_ is now known as Skaag
renagadexx	greppy: Let me paste. It may have something to do with pywebsocket...	07:27
cemc	hi. I have a 6core AMD Opteron server (HP DLXY G6), 16GB RAM. I've installed a 10.04.3 LTS 64bit on it, and then I installed a CentOS 6.2 64bit in a vm in KVM.	07:28
cemc	I have a constant 0.2-0.3 load on the host, but the vm is not doing anything at all.	07:28
cemc	http://pastebin.ubuntu.com/831053/ - this is the host, sorted by TIME column. that kvm is the only one running	07:29
cemc	http://pastebin.ubuntu.com/831056/ - this is the vm, also sorted by TIME	07:30
greppy	renagadexx: yeah, that's not apache that's having the problem, it looks like your python bits are the problem.	07:30
cemc	is there anything I should know about or tweak maybe, to not get this load. I mean if I start multiple VMs and I'll have 1+ load while idle, that's no fun	07:31
renagadexx	chill...I'll add handlers for the subdomain and see what happens!	07:31
sectionme	cemc: what kind of disk are you using for your guest? img/cow/cow2/etc or lvm? I've noticed load on my hosts using img over lvm.	07:32
cemc	sectionme: LVM	07:32
cemc	sectionme: should there be this much load with the vm idling?	07:33
sectionme	cemc: have you tried using kvm_stat?	07:35
cemc	sectionme: nope, I'm trying it now, thanks. anything else?	07:36
sectionme	cemc: could always try cloning your guest and starting that up also, see if theres an increase in load or if it remains the same on the host. I don't have any unloaded hosts here to try on myself, so can't help all that much more.	07:37
cemc	sectionme: alright, thanks for the tips anyway	07:38
sectionme	cemc: one thing that springs to mind is the kernel that the guest is running, eg. is it tickless? is it the eqiv. of -virtual?	07:41
cemc	sectionme: I don't think so, it's the default centos 6.2 one. but the strange thing is, this same vm doesn't cause load on a centos 6.2 host with kvm	07:43
cemc	sectionme: how can I check the tickless part?	07:43
sectionme	cemc: that is a little strange, for the kernel config, it might be under /proc/config.gz depending on the kernel build.	07:45
sectionme	cemc: Btw have you tried asking in #kvm? They _should_ know better :)	07:47
renagadexx	greppy: well shit, mod python isn;t playing nice	07:55
renagadexx	its comlaining there is no _path	07:56
cemc	sectionme: I will, thanks!	07:56
=== jtv is now known as jtv-C8H10N4O2
jasonmsp	hey all.. Im in the process of learning git and came up with a tutorial that is looking for gitk.. Since im sshd into the server I don't have a graphical interface, nor do I want to. What is the alternative to gitk for a command line view?	08:14
=== jtv-C8H10N4O2 is now known as jtv
greppy	jasonmsp: just... git?	08:19
sectionme	jasonmsp: http://stackoverflow.com/questions/1570535/guide-to-understanding-gitk explains some-what the commands gitk uses from git to display the information it does.	08:23
jasonmsp	thx	08:24
cemc	sectionme: seems like it was the usb/tablet 'hardware' I had enabled. after I removed it, load got back to 0.00	09:40
Daviey	Buenos días a todos	09:49
lynxman	morning o/	10:12
lynxman	Daviey: buenos dias señor	10:12
jasonmsp	hey all. Anyone know how to view what files will change before doing a git merge? git diff remote/master seems to be showing the actual changes. I just want to see what files will be changed.	10:22
uvirtbot	New bug: #927540 in multipath-tools (main) "multipath ignores blacklist in multipath.conf" [Undecided,New] https://launchpad.net/bugs/927540	10:56
=== rickspencer3_ is now known as rickspencer3
uvirtbot	New bug: #925772 in php5 "UPDATE REQUEST: php53u 5.3.10 is available upstream" [Undecided,New] https://launchpad.net/bugs/925772	12:36
jdstrand_	Psi-Jack: er apparmor documentation> have you seen https://wiki.ubuntu.com/AppArmor. it has links to man pages, server guides, upstream documentation and tutorials, etc	13:10
pmatulis	Psi-Jack: so the problem is a lack of documentation?	13:11
koolhead11	hi all	13:47
=== KeyGruin is now known as KeyGruin-afk
=== jdstrand_ is now known as jdstrand
sectionme	cemc: glad you got it sorted.	14:19
cemc	sectionme: thanks for the help	14:22
=== bladernr_afk is now known as bladernr_
=== dduffey_afk is now known as dduffey
samba35	how to search for .iso file from some web server	15:18
_ruben	samba35: try rephrasing your question as it does not make much sense	15:23
samba35	ok	15:25
samba35	if i want to download some iso file from abc server but i don't know location of url ,i want to search iso file and download it	15:26
BigRedS	samba35: it depends on whether the server offers a means of searching. It's not a standard feature	15:26
BigRedS	the web generally revolves around links for which the endpoints are known, it's not searchable like a filesystem	15:27
samba35	ok	15:27
_ruben	if said iso is linked from somewhere, google might have found it :)	15:27
samba35	i tryed that	15:29
samba35	filetype:iso	15:30
SpamapS	jamespage: you around today?	15:35
mechcozmo	hello, does anyone here have experience installing OpenCV?	15:37
mechcozmo	I am trying to get the PHP face detection bindings to work, but every OpenCV guide has been broken or otherwise unhelpful	15:38
smb	zul, I hate to ask but... is there a good reason for xen in precise being 4.1.2-2ubuntu1 but xen-common being 4.1.0~rc6-1ubuntu2? (I mean mainly the 4.1.<0> compared to <2> part, cause Debians version in testing is 4.1.2-1	15:47
zul	smb: probably not...i can get that fixed right now	15:48
smb	zul, Ok, i'd appreciate that before I start complaining about the xendomains script being broken... ;-P	15:48
zul	:P	15:48
zul	smb: uploaded	15:50
* smb probably should save of his fixed version in case it is still broken...		15:50
smb	zul, Ok, I'll wait for that and check again	15:50
uvirtbot	New bug: #926468 in openssh (main) "Stopping ssh with a logged in user causes init to spin at 100%" [High,Fix released] https://launchpad.net/bugs/926468	16:02
hallyn	SpamapS: there's an open bug for qemu-kvm, to have qemu-common Replace: qemu, which is only relevant for hardy2lucid upgrades.	16:05
hallyn	i can just mark it fix released (without adding that replaces) and then sru it right?	16:05
hallyn	(jfdi i say)	16:13
SpamapS	hallyn: hm	16:14
SpamapS	hallyn: bug #?	16:14
SpamapS	hallyn: are you suggesting that its no longer an issue in the main distro? If so, then Invalid would be the appropriate status.	16:15
SpamapS	hallyn: or if it literally already was fixed, then Fix Released	16:15
=== Lcawte\|Away is now known as Lcawte
hallyn	SpamapS: <shrug> it's not an issue since qemu is now a meta-package. sure, invalid it is. thx	16:19
uvirtbot	New bug: #927705 in openvpn (main) "openvpn fail to start at boot" [Undecided,New] https://launchpad.net/bugs/927705	16:21
cloudgeek	any irc for hosting	16:28
cloudgeek	guys those using ubuntu server	16:28
SpamapS	hallyn: right, the bug status on the main release is just to signal to us SRU people that the fix doesn't need working on in the dev release.	16:30
EvilResistance	cloudgeek, i'm not sure i understand your question... what do you mean by "any irc for hosting"?	16:30
SpamapS	cloudgeek: "hosting" is almost as broad as "the cloud"	16:30
plm	people, I will buy a dell server.. R510, I I really not know id memeory single rank is so good than dual rank	16:31
plm	16GB RAM single rank is teh same price of 32GB RAM dual rank	16:31
plm	what you think?	16:31
SpamapS	hallyn: IMO, all hardy2lucid bugs are High importance.	16:39
=== sixstringsg is now known as sixstringsg\|away
rbasak	smoser: instead of cache deny for squid.conf hitting an apt mirror, I'm using "refresh_pattern \/(Packages\|Sources)(\|\.bz2\|\.gz)$ 0 0% 0;refresh_pattern \/Release(\|\.gpg)$ 0 0% 0". It forces squid to check for updates every time, but it will still use the cache if the file hasn't changed. Seems to work and speed things up a bit.	16:57
bthefirst	smoser: instead of cache deny for squid.conf hitting an apt mirror, I'm using "refresh_pattern \/(Packages\|Sources)(\|\.bz2\|\.gz)$ 0 0% 0;refresh_pattern \/Release(\|\.gpg)$ 0 0% 0". It forces squid to check for updates every time, but it will still use the cache if the file hasn't changed. Seems to work and speed things up a bit.	16:57
rbasak	I would propose a change to orchestra, but not sure if that's worth doing right now.	16:58
SpamapS	rbasak: lifeless pointed out that this will only work if all RRdns partners return the same Etag/etc.	17:00
rbasak	they sync the mtime though, right? If they do, then it'll fail by refreshing, which is the same as a cache deny anyway.	17:01
SpamapS	rbasak: thats basically the same as must-revalidate , if I understand must-revalidate	17:02
rbasak	OK	17:02
rbasak	I think I need to learn more about this	17:02
SpamapS	rbasak: the mtimes will be the same once all mirrors are up to date, yes. But there are large multi-minute windows where they are not in sync.. which has been the frustration thus far	17:03
rbasak	I think this needs to be sorted out - by modifying apt if needed. With all the automated installation that's going to be on (juju, cobbler, mass, etc) there needs to be a way to make this work flawlessly.	17:03
smoser	rbasak, it is definitely worth fixing.	17:04
smoser	(this is part of the reason i sent the pastebin)	17:04
smoser	so that someone would say "thats stupid"	17:04
smoser	hoping that that someone would be lifeless	17:04
smoser	and he woudl say "this is how you should do it"	17:04
SpamapS	"The workarounds are either must-revalidate (server side, works but only if all the round-robin mirrors are returning the same ETag and other metadata) or not caching the signed content.	17:04
rbasak	well you're doing the same as orchestra-server which I think is sensible	17:04
SpamapS	I believe cache deny matches the 'not caching the signed content'	17:05
smoser	so what i might do for my proxy, is to pin to a single mirror	17:05
SpamapS	smoser: is there any movement on producing an atomic apt-mirror?	17:05
rbasak	Is there a bug on this? I'm thinking "apt-get and debootstrap should work flawlessly with http proxies against our mirrors"	17:06
smoser	but SpamapS that is the least complicated of the issues.	17:06
smoser	the larger issue is the multi-mirror inconsistent.	17:06
smoser	clearly the single mirror inconsistent is REALLY BAD.	17:07
patdk-wk	I personally had nothing but issues with squid and pkg caching	17:07
patdk-wk	switched to apt-cacher-ng to fix it	17:07
smoser	but that problem goes very much away after release, and SRUs taper off...	17:07
jacobw	hello	17:07
smoser	patdk-wk, well, i've seen issues in apt-cacher-ng too, under load.	17:07
SpamapS	smoser: indeed, its basically in need of a 2-phase commit	17:08
patdk-wk	smoser, ya, older apt-cacher-ng I had some issues too, haven't recently though	17:08
SpamapS	smoser: build new mirror copy on all mirrors.. when they're all consistent, commit them all at once	17:08
jacobw	wrt slapd on current lts, how can i find out what rootdn,rootpw,basedn etc the configure scripts have chosen for me?	17:08
SpamapS	smoser: rsync --link-dest would work	17:08
smoser	SpamapS, yeah. it is definitely improvable.	17:08
SpamapS	For the client side.. all we can do is retry.	17:08
smoser	but i do not know of anyone working on it.	17:09
smoser	but for my proxy, i think i'll just pin squid to a single mirror	17:09
smoser	and then use rbasak's suggestion to cache those if they're valid.	17:09
SpamapS	smoser: I'd be reasonably happy with an option for apt-get like --retry-on-inconsistent-mirror	17:09
jacobw	without searching for guessed tree structures name based on current hostname	17:09
smoser	as a 'apt-get update' is like 22M now.	17:09
lifeless	oh	17:10
lifeless	someone should really file a bug (if they haven't) about squid rotating between round-robin hosts too much	17:10
lifeless	or at least there being no knob	17:10
rbasak	I don't think that's a bug	17:10
rbasak	I think the bug is that apt+mirror system needs to not break when there's an http-compliant proxy cache in the middle	17:11
lifeless	there are valid reasons to want slow rotation in the client	17:11
lifeless	that is definitely something we(squid) should support tuning of	17:11
rbasak	slow rotation would just reduce the error rate.	17:11
rbasak	the real solution should result in a zero error rate	17:11
lifeless	agreed; that requires either apt handling it (by retryign with a max-age 0	17:12
lifeless	or a different disk format	17:12
lifeless	because this error is intrinsic and can happen with no caching present at all	17:12
rbasak	Am I right in understand that the only intrinsic problem here is if the Release and Packages files don't match, because they conceptually update atomically but we see a skew?	17:13
smoser	yeah. so no matter what, apt shoudl support retrying	17:13
smoser	as "Read Release", "Read Packages" is going to result in out of sync at some point	17:13
smoser	with increased likelyhood over a slower connection	17:14
smoser	but i think that might be getting fixed...	17:14
smoser	by putting the Release and the Packages in the same file ? or something to that extent in apt.	17:14
SpamapS	Perhaps the answer long term is that Packages* should be versioned	17:14
SpamapS	Release would point to the current version of Packages	17:14
smoser	yeah, joining them doesn't really help.	17:15
SpamapS	seems like this would be an easy, backward compatible fix	17:18
SpamapS	Release can grow some new bits that don't interfere w/ old versions of apt reading it.	17:18
SpamapS	The Packages file can still be updated as a link to the latest version	17:18
SpamapS	but new versions of apt will grab the latest versioned Packages file.	17:18
lifeless	rbasak: no, thats one of the intrinsic issues	17:18
lifeless	rbasak: there are three;	17:19
lifeless	a) Foo and Foo.gpg having skew	17:19
rbasak	thanks	17:19
* rbasak is filing a bug on this		17:19
smoser	rbasak, i'm filing squid bug	17:19
lifeless	b) chained signed-by-hashes having skew (Release->Packages, Packages->other)	17:19
rbasak	I was filing an apt bug	17:19
adam_g	rbasak: ping	17:19
adam_g	er	17:19
smoser	we have a open RT for canonical IS regarding "mirrors sometimes/often inconsistent"	17:19
adam_g	roaksoax: ping	17:19
smoser	rbasak, but please file a "apt should support retry" or something.	17:20
lifeless	c) garbage collection occuring during slow clients (a special case of b, where the referenced file is a .deb)	17:20
lifeless	there are bugs filed	17:20
lifeless	no need to file dupes	17:20
rbasak	what are the bugs numbers, please? I couldn't find any.	17:20
lifeless	bug 24234 bug 33505	17:20
uvirtbot	Launchpad bug 24234 in apt "apt-get update failing with bad signature. (dup-of: 24061)" [High,Confirmed] https://launchpad.net/bugs/24234	17:21
uvirtbot	Launchpad bug 24061 in apt "GPG error with apt-get/aptitude/update-manager behind proxy (BADSIG 40976EAF437D05B5)" [High,In progress] https://launchpad.net/bugs/24061	17:21
uvirtbot	Launchpad bug 33505 in apt "BADSIG errors using transparent http proxies" [High,Fix released] https://launchpad.net/bugs/33505	17:21
rbasak	Fix released?	17:21
smoser	https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/927744	17:21
uvirtbot	Launchpad bug 927744 in squid3 "rotate around round robin hosts is not configurable" [Undecided,New]	17:21
lifeless	I haven't checked the change that was made, so can't comment on the appropriateness	17:21
lifeless	the IS response to these issues is (reasonably so) to try and mitigate as much as possible	17:22
lifeless	the root cause is the apt disk format; a tolerable workaround can be done by apt-get itself in principle (but with limited success as some intercepting (aka transparent) proxies do not honour cache-busting requests.	17:22
smoser	rbasak, for my proxy, i'll just update /etc/hosts and pin squid to one mirror.	17:22
lifeless	I have to go, baby needs me	17:23
smoser	can you give me a suggested squid.conf given that ?	17:23
smoser	for reference, the original is at http://paste.ubuntu.com/831432/	17:23
Pici	58	17:24
rbasak	smoser: OK, I reckon then http://paste.ubuntu.com/831618/	17:25
lifeless	smoser: just putting the host that apt is using in the hosts file should be enough	17:25
smoser	lifeless, right.	17:25
smoser	but then i want to have it cache, and currently it denies all of those.	17:25
lifeless	for the refresh pattern thing; mm, I'm not sure it will dtrt, but I can't dig into it now. syntax error on that alt config btw - RELEASE isn't defined	17:26
lifeless	give it a go, your test bed should show it up fairly quickly	17:26
rbasak	smoser: oops, remove line 47	17:26
smoser	rbasak, so it would seem that deny is no better than your solution for orchestra, right?	17:31
smoser	and we might as well have yours.	17:31
uvirtbot	New bug: #927744 in squid3 (main) "rotate around round robin hosts is not configurable" [Undecided,New] https://launchpad.net/bugs/927744	17:31
smoser	err.. deny is definitely worse (caches less) and does not improve or worsen the inconsistent issue	17:31
rbasak	smoser: I believe so, yes. But without a /etc/hosts pin, I was still getting mirror errors, so I didn't propose a change.	17:32
smoser	rbasak, well, there are still 2 issues..	17:32
smoser	a.) host actually inconsistent (non-atomic update)	17:32
smoser	b.) apt general issue even in perfectly atomic archive update	17:32
smoser	but you were probably hitting 'a'	17:32
rbasak	Yes, I think so	17:33
smoser	which does happen, and i had a script running, and saw that number to be 1 or 2 % of my attempts	17:33
smoser	on precise	17:33
smoser	something on that order... way too high. but it largely goes away after release (when archive is less active)	17:33
smoser	so we should prpose the change.	17:33
rbasak	So in the automated testing I've been doing, since Thursday night, I've had: 923 successful installs, two unknown (timeouts), 1 kernel oops, 26 debootstrap failures, 19 other what I think are mirror failures, 3 kernel panics, and 67 of another type of what I think are mirror failures.	17:36
rbasak	So ignoring the other problems, I believe I have a 4% installation failure rate due to some kind of mirror skew.	17:37
rbasak	That's using my proposed squid.conf, though no pinning of mirror on my squid host (which I've just added)	17:37
smoser	rbasak, https://bugs.launchpad.net/ubuntu/+source/orchestra/+bug/927750	17:39
uvirtbot	Launchpad bug 927750 in orchestra "orchestra squid config should not deny apt packages" [Undecided,New]	17:39
smoser	rbasak, if you pinn, you will really decrease your failure rate on apt	17:40
smoser	and if you pin to one of the "new mirrors" you'll further decrease	17:40
rbasak	smoser: I'm just restarting my statistics. I'll let you know :-)	17:40
smoser	(ie, older mirrors just slower hardware and rsync slower)	17:40
rbasak	Which is a "new mirror"?	17:40
smoser	i dont know. .	17:40
smoser	:)	17:40
smoser	i think actually, they may have removed those recently.	17:42
smoser	but from bad memory, i might suggest not selecting	17:42
smoser	31.88.189.91.in-addr.arpa domain name pointer leningradskaya.canonical.com.	17:42
smoser	and instead, pick one of them that is in http://paste.ubuntu.com/831636/ multiple times.	17:44
smoser	i picked cursa	17:44
Vexiant	https://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration	17:45
Vexiant	I need help with the DNS caching part	17:45
Vexiant	can anyone help me?	17:46
=== starlocke is now known as Guest82915
rbasak	smoser: thanks, I'll also use cursa for consistency in case we have issues later	17:49
rbasak	smoser: interestingly cursa is one after ports of which there is only one	17:49
rbasak	Actually, that's a point. I've been using ports, of course, so I shouldn't been having the hitting two different mirrors problem at all.	17:50
smoser	hm..	17:50
smoser	i dont know.	17:50
smoser	maybe the ports are just slower ?	17:50
smoser	maybe that host is slow and thus open more so to single-inconsistency issues.	17:51
acidflash	hi everyone	17:51
acidflash	ping: sendmsg: Operation not permitted <-- i am getting this message occasionally, i have googled it, but i dont have ipmasq or anything in iptables which might cause that problem	17:52
acidflash	it is happening when i get really high loads on my network card (ie: about 10,000 packets @ 70 Mb)	17:52
sectionme	acidflash: sounds like your trying to do something that requires root, eg. ping -f	17:52
acidflash	any ideas or suggestions?	17:52
acidflash	i am logged in as root sectionme	17:52
* sectionme srugs sholders		17:53
cwillu_at_work	acidflash, I'm going to go with "prove it" :p	17:53
Vexiant	<Vexiant> https://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration	17:54
Vexiant	* ahasenack (~andreas@200.146.81.216.dynamic.adsl.gvt.net.br) has joined #ubuntu-server	17:54
Vexiant	<Vexiant> I need help with the DNS caching part	17:54
Vexiant	<Vexiant> can anyone help me?	17:54
acidflash	cwillu_at_work: im not sure what you mean ?	17:54
cwillu_at_work	acidflash, as a general rule of troubleshooting, when somebody tells you "I'm pretty sure", you shouldn't be surprised if the opposite ends up being the case	17:56
cwillu_at_work	that said	17:56
cwillu_at_work	I'm apparently incapable of reading english today	17:57
cwillu_at_work	could have swore that "<acidflash> i am logged in as root sectionme" was "<acidflash> i am logged in as root sometimes"	17:57
acidflash	cwillu_at_work: hehe :)	17:57
cwillu_at_work	acidflash, can you provide the exact command line you're using, and any other relevant details? :p	17:57
acidflash	sure	17:57
acidflash	ubuntu 10.04	17:58
acidflash	ubuntu-server*	17:58
acidflash	i am using this as a caching server	17:58
acidflash	10.04 -> one of the network cards is a gigabit pci-express card	17:58
acidflash	there is about 10K Packets @ about 70 Mb traffic	17:58
acidflash	iptables is just redirecting any incoming connection to port 3128	17:59
acidflash	nothing else running except openssh and the server software	17:59
cwillu_at_work	can you provide the exact command line you're using,	17:59
acidflash	yes	17:59
acidflash	ping xx.xx.xx.xx	17:59
acidflash	:)	17:59
* cwillu_at_work is unimpressed		18:00
acidflash	no switches or parameters	18:00
acidflash	will occasionally go from <1 to 1.x ms	18:00
acidflash	and then it will give: ping: sendmsg: Operation not permitted	18:00
acidflash	for a few times, then it works again	18:00
cwillu_at_work	are you pinging an ip or a hostname?	18:01
cwillu_at_work	and is it ipv4 or v6?	18:01
acidflash	ipv4	18:01
acidflash	and its an ip	18:01
cwillu_at_work	what do you mean precisely by "iptables is redirecting any incoming connection to port 3128"?	18:02
acidflash	i can show you	18:02
acidflash	1 min	18:02
acidflash	/sbin/iptables -I PREROUTING -t nat -p tcp --dport 80 -i ${local} -j REDIRECT --to 3128	18:02
acidflash	/sbin/iptables -A PREROUTING -t nat -j MASQUERADE	18:02
cwillu_at_work	acidflash, pastebin is good	18:02
acidflash	sorry,	18:02
acidflash	your right	18:02
cwillu_at_work	(for one thing, it allows me to continue to see these things after they've scrolled off the top)	18:02
acidflash	okie yes	18:02
cwillu_at_work	acidflash, can you pastebin the output of iptables --list-rules?	18:03
acidflash	http://pastebin.com/CQ9kA6BF	18:03
acidflash	yes	18:03
acidflash	http://pastebin.com/pfWEVcPf	18:04
cwillu_at_work	acidflash, iptables --list is as empty?	18:06
acidflash	http://pastebin.com/rUquhzhi	18:06
=== sixstringsg\|away is now known as sixstringsg
roaksoax	smoser: bug #927750 IIRC, doing so created cache errors	18:08
uvirtbot	Launchpad bug 927750 in orchestra "orchestra squid config should not deny apt packages" [Undecided,New] https://launchpad.net/bugs/927750	18:08
cwillu_at_work	acidflash, and what address are you pinging?	18:09
acidflash	my gateway	18:09
cwillu_at_work	loopback? address of the machine? other machine on the same segment?	18:09
cwillu_at_work	k	18:09
=== sixstringsg is now known as sixstringsg\|away
smoser	roaksoax, there are caching errors, but it seemed to those present here in that discussion that they would not be worsened by this.	18:11
smoser	hm...	18:11
cwillu_at_work	acidflash, sorry, my iptables is rusty	18:14
zul	adam_g: just as a heads up ill be merging some of the debian keystone changes (dbconfig changes mostly) this week	18:14
acidflash	its ok	18:14
cwillu_at_work	acidflash, can you do iptables --list-rules -t nat	18:14
cwillu_at_work	(important -t there :p	18:14
cwillu_at_work	acidflash, and on a similar note, does it work before you add those rules?	18:14
adam_g	zul: cool	18:15
acidflash	it worked fine before and after, the only thing that increased was the traffic	18:15
acidflash	it wasnt that much before	18:15
acidflash	about 5-6K packes	18:15
acidflash	packets	18:15
acidflash	http://pastebin.com/F5jYwLhv	18:15
roaksoax	smoser: right, but caching those files kinda broke the cache various times IIRC, forcing us to clear the cache, and restart squid	18:15
smoser	right.	18:16
smoser	yeah.	18:16
smoser	that sucks.	18:16
smoser	so you just cache a broken state, which is not good.	18:16
roaksoax	exaclty	18:17
smoser	but it still should resolve itself as the etag shoudl only go forward	18:17
smoser	so you'd just be stuck until the mirrors were in a consistent state.	18:17
smoser	dpm	18:17
smoser	s/dpm//	18:17
smoser	don't you think?	18:17
roaksoax	smoser: yeah, which caused some of the problems we experienced before	18:18
smoser	roaksoax, but only sort of.	18:18
rbasak	Yeah, I think it'll be fine unless the mtime appears to go backwards	18:18
smoser	because if you're saying "not caching anything made it better"	18:18
smoser	that simply can't be true	18:18
roaksoax	smoser: i'm not aggains commiting your fix, but rather, ifproblems show back again, then we can simply revert changes	18:18
smoser	hm..	18:19
smoser	yeah.	18:19
smoser	yeah.	18:19
smoser	there are lots of issues at play here.	18:19
roaksoax	indeed	18:19
smoser	and unfortunately it doens't look like they're all going to be fixed at once	18:19
smoser	(or even by 12.04 release)	18:19
rbasak	roaksoax: by default, squid will cache a file for some period of time before checking to see if it has been updated upstream. It sounds like this is what was biting you. So you can either set squid never to cache the file, or to check it against the mirror every time. This change will make it check against the mirror every time. I'm not sure there is a situation where the check will return that the cached file can be served even though a newer one	18:20
rbasak	is available on the mirror, and if this is true then this change is safe.	18:20
cwillu_at_work	acidflash, double check that ipmasq isn't installed?	18:21
cwillu_at_work	(or rather, the binary isn't there)	18:21
cwillu_at_work	acidflash, can you post lspci?	18:22
acidflash	yes	18:22
acidflash	http://pastebin.com/ZT3TdVyB	18:23
cwillu_at_work	acidflash, http://lists.danga.com/pipermail/memcached/2006-September/002726.html seems to show the same symptoms, but there's no resolution there, or any real details beyond the "ping fails under load" thing	18:24
cwillu_at_work	acidflash, and which interface is the one where things stop working?	18:24
cwillu_at_work	the realtek or the marvell?	18:24
acidflash	via gigabit pci-x	18:24
acidflash	ahh i dont see it in the list	18:25
acidflash	let me find it, 1 min	18:25
cloudgeek	any webshoter here	18:25
acidflash	yeah its the realtek	18:26
roaksoax	rbasak: sure, I don't really mind merging the fix, what I'm saying is that if I come accross the nasty issues seen during the oneiric cycle, it will be merged back to original	18:26
cwillu_at_work	acidflash, what's the current value of /proc/sys/net/ipv4/ip_conntrack_max, if you have such a key?	18:26
acidflash	i dont, but i can show you if you want my sysctl parameters	18:26
rbasak	ok, fair enough	18:26
cwillu_at_work	acidflash, just cat /proc/sys/net/ipv4/ip_conntrack_max	18:26
acidflash	they are injust to the system	18:26
acidflash	ok	18:26
roaksoax	rbasak: cool then ;)	18:27
acidflash	no such file or directory	18:27
cwillu_at_work	acidflash, mind pastebinning the output of dmesg?	18:28
acidflash	sure	18:29
cwillu_at_work	(note that this may include your ip address :p)	18:29
acidflash	cwillu_at_work: no problem, anything specific you want to see in dmesg or do you just want me to do a straight forward dmesg?	18:29
cwillu_at_work	whole thing please	18:29
cwillu_at_work	I'm just on a fishing expedition at the moment	18:29
acidflash	okie	18:30
acidflash	just a moment pastebin is under heavy load at the momeny, pastebinit cant create a link	18:31
acidflash	http://pastebin.com/F55DnnS3	18:31
cwillu_at_work	acidflash, I think we have a winner	18:32
cwillu_at_work	nf_conntrack: table full, dropping packet	18:32
acidflash	cwillu_at_work: okie, kernel overload you think ?	18:32
kerframil	just as an aside, that path might not be right (in recent kernels anyway). sysctl -n net.netfilter.nf_conntrack_max should be reliable.	18:32
cwillu_at_work	kerframil, thanks	18:32
cwillu_at_work	acidflash, ^^	18:32
acidflash	aha, so its the kernel not the card dropping the packets?	18:33
cwillu_at_work	what does sysctl -n net.netfilter.nf_conntrack_max say?	18:33
acidflash	65536	18:34
cwillu_at_work	and net.netfilter.nf_conntrack_count?	18:34
acidflash	65502	18:34
kerframil	ouch	18:34
acidflash	i think im starting to understand why	18:35
acidflash	thats the maximum amount of open tcp sessions ?	18:35
cwillu_at_work	acidflash, what sort of load is on the machine?	18:35
acidflash	and how much i currently hoave?	18:35
kerframil	acidflash: that can be handled by the connection tracking system in netfilter (not just tcp either)	18:35
acidflash	its a caching server serving around 5000 users	18:35
acidflash	caching proxy	18:35
cwillu_at_work	acidflash, yes, although I think it's actually "things that it's tracking", not necessarily just tcp	18:35
acidflash	mm	18:35
acidflash	okie can i increase the conntrack_max number in sysctl?	18:37
acidflash	or is that not recommended	18:37
kerframil	acidflash: yes. see also /etc/sysctl.conf.	18:37
acidflash	okie i thought so	18:37
kerframil	acidflash: acidflash: if you actually need connection tracking, just increase the limit and keep an eye on the count in future. you can also use the 'RAW' table in netfilter to except some connections from connection tracking (I do this for traffic to and from LAN subnets, not being forwarded).	18:37
kerframil	oops, sorry for double nick	18:37
acidflash	kerframil: the second option sounds like something worth reading about, can you point me somewhere ?	18:38
acidflash	and yes i am going to see the value in sysctl to something larger	18:38
kerframil	acidflash: googling will turn up some stuff, as will the man page. I can give you a direct example.	18:38
acidflash	okie, ill do	18:38
kerframil	http://dpaste.com/698479/	18:39
acidflash	i think i am going to set that conntrack_max to about 200,000	18:39
kerframil	in my case, $local_net contains "10.0.0.0/16". the important thing is never to use this trick for packets being forwarded - otherwise you can end up in hot water.	18:39
kerframil	that's why -s and -d are the same there	18:40
acidflash	aha	18:40
kerframil	as for conntrack_max, please use a power of 2. if you increase it to something significant (like I do), consider changing the bucket size. moment.	18:40
acidflash	kerframil: okie, but apparently it cant be set in the sysctl.conf	18:41
acidflash	couldnt be in 2007, not sure about now though, im reading	18:41
kerframil	acidflash: conntrack_max?	18:42
acidflash	yes	18:42
acidflash	no it seems you can	18:42
acidflash	i think that article is just old	18:42
kerframil	acidflash: http://rackerhacker.com/2008/01/24/ip_conntrack-table-full-dropping-packet/#comment-15409	18:43
acidflash	yah i was reading that :D	18:43
kerframil	acidflash: very good comment there	18:43
kerframil	acidflash: I have conntrack max at 2^21 (2 million) and have changed the hashsize to maintain a bucket depth of 4	18:44
acidflash	kerframil: thats a great article thanks alot for the help..	18:44
acidflash	I am going to read it and make some changes	18:44
acidflash	if i have any more problems, ill be back, but in the mean time thanks a lot for your help guys	18:44
kerframil	acidflash: also worth bearing mind is that the default period for a TCP connection being reaped within conntrack is a week	18:49
kerframil	acidflash: net.netfilter.nf_conntrack_tcp_timeout_established	18:50
acidflash	kerframil: my software normally times out after 60 seconds, do you think i should set it in sysctl as well?	18:51
kerframil	acidflash: I would say that's far too short. this determines after which time conntrack considers a TCP connection as dead after it has been established but where it is inactive (no traffic seen)	18:52
kerframil	acidflash: I use 24 hours, if you want a benchmark	18:52
kerframil	the being established part is obviously done through the initial SYN and the three way handshake. but, in my case, I don't want inactive connections to clog up the table for a whole week.	18:53
RoyK	can some smart-guy out there explain to me where the libpng.so binary file may reside? http://paste.ubuntu.com/831720/	18:58
pmatulis	RoyK: you want to find the file on your filesystem?	19:05
koolhead17	netsplit	19:05
JanC	RoyK: what ubuntu version?	19:05
=== Myrtti is now known as Guest98157
JanC	if you are using 11.10, it's probably located in /lib/x86_64-linux-gnu/libpng12.so.0.46.0	19:09
JanC	if you are looking for the real file and not the symlinks used for compatibility	19:10
uvirtbot	New bug: #927805 in cloud-init (main) "t1.micro instance defect after dist-upgrade" [Undecided,New] https://launchpad.net/bugs/927805	19:11
uvirtbot	New bug: #927808 in nova (main) "nova-compute fails to attach volumes: FileNotFound: File /etc/iscsi/initiatorname.iscsi could not be found." [Undecided,New] https://launchpad.net/bugs/927808	19:11
RoyK	JanC: lucid - it was under /lib	19:13
* RoyK wonders wtf such libs are placed under /lib and not /usr/lib		19:13
SpamapS	RoyK: because the boot splash uses it	19:16
RoyK	ah	19:18
JanC	RoyK: right, lucid didn't have multiarch yet ☺	19:20
RoyK	nope, it doesn't	19:20
RoyK	but I don't use anything non-lts for servers...	19:20
JanC	12.04 LTS will have multiarch	19:21
RoyK	yeah	19:21
JanC	which is very cool ☺	19:21
RoyK	so I guess I'll move to that when 12.04.1 is released	19:21
RoyK	(which is, IIRC, the default upgrade path)	19:21
JanC	AFAIK it is	19:22
RoyK	perhaps upgrade the compute nodes first - some of those scientists are rather greedy on new versions...	19:22
JanC	RoyK: if new versions improve compute time significantly, I can understand	19:24
RoyK	not really, but they come with new versions of scipy/numpy	19:25
JanC	although in most cases improving algorithms is likely to help a lot more	19:25
JanC	well, I guess upgrading those on an LTS should be possible too (maybe providing them through -backports)	19:26
RoyK	JanC: or, as we do, compile them in a separate tree and just use whatever versions needed	19:27
JanC	right	19:27
JanC	although having them available in some repository would be nice	19:27
JanC	provided scientist organisations want to cooperate on that... :P	19:28
RoyK	not really, better keep a baseline for most and let those in desperate need for the latest and hottest and hippest compile their own in a shared folder somewhere	19:28
RoyK	there's a "scientific linux", which should be rather well updated, but, being redhat-based, I don't want to touch it	19:30
_johnny	hi. any gdb users? i used to have a cmd which gdb would evaluate every time it breaks. like "x/s $eax" and such. i can't see *watch doing this. am i making this up, or? :)	19:30
hallyn	Daviey: for adding a (lxc) section to ubuntu server guide. there is no 12.04 server guide yet. is there a staging area for it? Or should i start with a basic (oneiric-relevant) section in the 11.10 server guide, and just wait to add the precise bits?	19:49
skyler_	Hi, does anyone know how to raise the virtual memory limit?	19:52
SpamapS	skyler_: what do you mean by "the virtual memory limit" ?	19:54
skyler_	When I try to compile anything, I get: "virtual memory exhausted: Cannot allocate memory"	19:55
skyler_	so (as suggested by google) I ran ulimit -v 20000	19:55
skyler_	and now I can't even run ls	19:55
skyler_	and I can't raise the limit back to what it was	19:56
Vexiant	I need help	19:56
Vexiant	https://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration	19:56
Vexiant	"The default configuration is setup to act as a caching server. All that is required is simply adding the IP Addresses of your ISP's DNS servers. Simply uncomment and edit the following in /etc/bind/named.conf.options:"	19:56
Vexiant	can someone help me?	19:56
Daviey	hallyn: can i answer that tomorrow? I need to check in the docs team (and other matters.)	19:57
adam_g	roaksoax: pign	19:57
hallyn	stgraber: now, emitting the net-device-up for lo in lxcguest for oneiric+precise won't hurt anything right? ( seems not worth checking the container release before emitting)	19:59
hallyn	(re bug 924337)	19:59
uvirtbot	Launchpad bug 924337 in lxc "lxc on precise is not working with lucid containers (container does not reach runlevel 2)" [High,Fix released] https://launchpad.net/bugs/924337	19:59
stgraber	hallyn: should be safe indeed	20:00
hallyn	thx	20:00
roaksoax	adam_g: pong	20:01
Vexiant	I see that everyone else can get help other than me	20:02
hallyn	hm, i suppose lp:~serge-hallyn/+junk/lxc-test could be turned into a lxctest package residing in lxc source pkg....	20:02
hallyn	(not today)	20:03
adam_g	roaksoax: is there any way to limit the number of concurrent requests cobbler makes to power management?	20:03
adam_g	roaksoax: for whatever reason, that CDU in the CI lab is slowing down and requests sometimes get lost if the CDU is busy handling 5 other calls	20:04
roaksoax	adam_g: i don't think there's a way to do that in cobbler	20:04
roaksoax	adam_g: maybe, the CDU's configuration provides a way to control concurrent requests for that matter	20:05
hallyn	jodh: /etc/init/lxcmount.conf currently emits 'mounted MOUNTPOINT=/run'. (will stop soon). but it doesn't have an 'emits mounted' at top. What will go wrong?	20:05
adam_g	roaksoax: couldn't find anything. might create some little daemon to queue and dispatch requests accordingly, cobbler can just call that instead	20:06
roaksoax	adam_g: maybe that would be a good improvement within cobbler	20:07
roaksoax	s/within/for	20:07
adam_g	roaksoax: or the fence agents libraries	20:08
JanC	hallyn: "emits ..." is only documentation, so nothing should go wrong?	20:09
JanC	(or did I miss something)	20:09
roaksoax	adam_g: or that too, but maybe, could it be a bug within the cdu agent itself? maybe it its not correctly closing the connections to the cdu	20:13
* roaksoax brb		20:14
adam_g	roaksoax: thats all handled by the fencing.py library (which is a bit of a mess, IMHO)	20:15
hallyn	JanC: thanks, that's what i was wondering.	20:19
hallyn	esp whether some automated tools might miss out on possible event paths...	20:19
JanC	hallyn: there might be automated tools depending on this documentation of course, but not in default Ubuntu AFAIK	20:27
JanC	I mean, everybody can write a script depending on that without knowing it's not mandatory	20:28
roaksoax	adam_g: most likely lol!	20:29
hallyn	naturally :)	20:30
hallyn	stgraber: do you see any issue with http://people.canonical.com/~serge/lxc_0.7.5-3ubuntu18.dsc? (It seemed best to add the emit to a new 'start' section rather than the pre-start script...)	20:33
hallyn	oops	20:33
hallyn	meant http://people.canonical.com/~serge/lxc.debdiff	20:33
stgraber	hallyn: hmm, this looks wrong, different code path as what we have starting with oneiric/precise	20:35
stgraber	hallyn: you should either do "ifup --allow auto lo" or emit net-device-added	20:36
uvirtbot	New bug: #927863 in lxc (main) "container reboot patch broke clean lxc-execute exits" [Medium,Confirmed] https://launchpad.net/bugs/927863	20:36
stgraber	hallyn: emitting net-device-up bypasses ifupdown and all the scripts in /etc/network/* which doesn't seem right	20:37
stgraber	hallyn: "initctl emit net-device-added INTERFACE=lo" should give you the same thing as you'd get from udev on a regular system	20:38
hallyn	hm, ok, yeah. i think that's what i originally did during natty cycle. thanks.	20:40
hallyn	stgraber: you think i should do -n there?	20:41
hallyn	probably not.	20:41
stgraber	hallyn: I'd recommend the -n otherwise you'll end up stuck there until the whole list of dependencies has been processed and all these jobs are started	20:47
stgraber	which in this case, should only be network-interface.conf but well, probably still a good idea	20:47
hallyn	notes that lxcmount.conf doesn't do -n. i suppose i shoudl add it?	20:49
=== robbiew1 is now known as robbiew
=== KeyGruin-afk is now known as KeyGruin
uvirtbot	New bug: #927883 in lxc (main) "lxc-execute fails due to missing /dev/shm" [High,Confirmed] https://launchpad.net/bugs/927883	21:05
uvirtbot	New bug: #927887 in rabbitmq-server (main) "package rabbitmq-server 2.6.1-1ubuntu4 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/927887	21:11
=== dduffey is now known as dduffey_afk
=== dduffey_afk is now known as dduffey
=== dduffey is now known as dduffey_afk
kirkland	jcastro: ping	23:18
mgw	pong	23:18
mgw	oh sorry, didn't see jcastro part	23:18
mgw	:-)	23:18
StrangeCharm	I backed up my secring, exported my primary key (& its subkeys) to a file, then made changes to the subkeys. I deleted some of my encryption subkeys, but not to worry, because I have backups! However, I seem get GPG to re-import the sub-keys. When import the key file, it's all like "Oh, I already have that master key, so I don't need to worry about its subkeys." I want those subkeys back in my main key, how do I fix it?	23:28
hallyn	stgraber: any complaints from you if I switch lxc over to upstart?	23:35
hallyn	We might end up missing new features in Debian as a result...	23:36
hallyn	man apt-cacher-ng is really messed up	23:48
stgraber	hallyn: no complaint, just make sure the start condition works for most use cases (at least wait for local-filesystems, possibly for more)	23:49
hallyn	stgraber: i'd probably do "start on (runlevel [2345] and stopped networking RESULT=ok)" like libvirt does	23:50
hallyn	which, actually, i thought i changed that in libvirt	23:50
chelz	does anyone or has anyone heard of various runlevels actually being used?	23:51
hallyn	thought that had been set to 'static-network-up'	23:51
=== koolhead17 is now known as koolhead17\|zzZZ
stgraber	hallyn: RESULT=ok for networking is risky	23:53
stgraber	hallyn: networking is meant as a fallback for interfaces that can't be brought up by events, so someone making a typo in some of these interfaces would prevent your job from starting ...	23:53

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!