/srv/irclogs.ubuntu.com/2012/02/06/#ubuntu-server.txt

=== Lcawte is now known as Lcawte|Away
=== Lcawte|Away is now known as Lcawte
=== Lcawte is now known as Lcawte|Away
Thermionixyo, quick question - I setup 12.04 server alpha 2 the other day, and it has linux-image-3.2.0-12-generic instead of linux-image-server03:58
patdk-lapyep03:59
Thermionixis that meant to be?04:01
dravekxI'm trying to setup a bash script to add user accounts. I think I'm doing it wrong. anyone give me a hand? http://pastebin.com/28VkfHNL04:18
twbThermionix: the latter probably depends on the former04:18
twbdravekx: yes, that is wrong04:19
twbSecond line should be "adduser $i sftponly".04:20
dravekxah04:20
twbYou should have a set -e and a trap to report it, so that the script will abort on errors instead of carrying on regardless.04:20
twbset -eEu; set -o pipefail; trap 'echo >&2 "$0: unknown error"' ERR04:20
twbLine (4) should probably be an argument to the first adduser04:21
twbLines 6 through 8 should be an install(1) call, and line (5) should probably be recursive.04:21
twbYou should also ensure that e.g. PHP evaluation is disabled in such users' public_html dirs04:22
twbOh, and htaccess, although IIRC that is off in the default configuration for those dirs04:22
twbFurther discussion should be directed to #bash (for scripting) and #httpd (for apache httpd).04:23
dravekxI need php in userdirs. they have php apps. :S04:23
twbdravekx: they should probably have separate jails then04:23
twbdravekx: talk to the #httpd people about best practice; my policy is simply "no PHP on my system at all"04:23
dravekxthey are jailed in the public_html folders.04:23
dravekxk04:24
twbdravekx: SSH is but not http, I expect04:24
twbi.e. they write and upload a PHP program, that PHP program when run won't be jailed by the sshd_config04:24
dravekxah really? I didn't know that.04:24
dravekxlots to learn then. lol.04:25
=== kees_ is now known as kees
Thermionixanyone think its worth setting up mcelog? running a c2d processor kernel 3.2 x6406:57
sectionmeAnyone know of an options for nfs exports to allow nesting of mounts on the server-side, eg. /exports/work/{project1,project2,project3} which say project2 is on a different mount point, currently it gets exported as the empty directory as if it wasn't mounted, nohide doesn't seem to solve the issue.07:03
renagadexxI can't get a stupid damn subdomain to work with apache2. I've added virtual hosts to httpd.conf and I'm pretty sure the DNS is configured properly, but I keep getting 500 errors every time I go to the subdomain.07:23
renagadexxAny ideas why?07:23
twbThermionix: IME no07:23
greppyrenagadexx: anything in the logs?07:24
renagadexxyeah, want me to pastebin?07:24
=== Skaag_ is now known as Skaag
renagadexxgreppy: Let me paste. It may have something to do with pywebsocket...07:27
cemchi. I have a 6core AMD Opteron server (HP DLXY G6), 16GB RAM. I've installed a 10.04.3 LTS 64bit on it, and then I installed a CentOS 6.2 64bit in a vm in KVM.07:28
cemcI have a constant 0.2-0.3 load on the host, but the vm is not doing anything at all.07:28
cemchttp://pastebin.ubuntu.com/831053/ - this is the host, sorted by TIME column. that kvm is the only one running07:29
cemchttp://pastebin.ubuntu.com/831056/ - this is the vm, also sorted by TIME07:30
greppyrenagadexx: yeah, that's not apache that's having the problem, it looks like your python bits are the problem.07:30
cemcis there anything I should know about or tweak maybe, to not get this load. I mean if I start multiple VMs and I'll have 1+ load while idle, that's no fun07:31
renagadexxchill...I'll add handlers for the subdomain and see what happens!07:31
sectionmecemc: what kind of disk are you using for your guest? img/cow/cow2/etc or lvm? I've noticed load on my hosts using img over lvm.07:32
cemcsectionme: LVM07:32
cemcsectionme: should there be this much load with the vm idling?07:33
sectionmecemc: have you tried using kvm_stat?07:35
cemcsectionme: nope, I'm trying it now, thanks. anything else?07:36
sectionmecemc: could always try cloning your guest and starting that up also, see if theres an increase in load or if it remains the same on the host. I don't have any unloaded hosts here to try on myself, so can't help all that much more.07:37
cemcsectionme: alright, thanks for the tips anyway07:38
sectionmecemc: one thing that springs to mind is the kernel that the guest is running, eg. is it tickless? is it the eqiv. of -virtual?07:41
cemcsectionme: I don't think so, it's the default centos 6.2 one. but the strange thing is, this same vm doesn't cause load on a centos 6.2 host with kvm07:43
cemcsectionme: how can I check the tickless part?07:43
sectionmecemc: that is a little strange, for the kernel config, it might be under /proc/config.gz depending on the kernel build.07:45
sectionmecemc: Btw have you tried asking in #kvm? They _should_ know better :)07:47
renagadexxgreppy: well shit, mod python isn;t playing nice07:55
renagadexxits comlaining there is no _path07:56
cemcsectionme: I will, thanks!07:56
=== jtv is now known as jtv-C8H10N4O2
jasonmsphey all.. Im in the process of learning git and came up with a tutorial that is looking for gitk..  Since im sshd into the server I don't have a graphical interface, nor do I want to.  What is the alternative to gitk for a command line view?08:14
=== jtv-C8H10N4O2 is now known as jtv
greppyjasonmsp: just... git?08:19
sectionmejasonmsp: http://stackoverflow.com/questions/1570535/guide-to-understanding-gitk explains some-what the commands gitk uses from git to display the information it does.08:23
jasonmspthx08:24
cemcsectionme: seems like it was the usb/tablet 'hardware' I had enabled. after I removed it, load got back to 0.0009:40
DavieyBuenos días a todos09:49
lynxmanmorning o/10:12
lynxmanDaviey: buenos dias señor10:12
jasonmsphey all.  Anyone know how to view what files will change before doing a git merge?  git diff remote/master seems to be showing the actual changes.  I just want to see what files will be changed.10:22
uvirtbotNew bug: #927540 in multipath-tools (main) "multipath ignores blacklist in multipath.conf" [Undecided,New] https://launchpad.net/bugs/92754010:56
=== rickspencer3_ is now known as rickspencer3
uvirtbotNew bug: #925772 in php5 "UPDATE REQUEST: php53u 5.3.10 is available upstream" [Undecided,New] https://launchpad.net/bugs/92577212:36
jdstrand_Psi-Jack: er apparmor documentation> have you seen https://wiki.ubuntu.com/AppArmor. it has links to man pages, server guides, upstream documentation and tutorials, etc13:10
pmatulisPsi-Jack: so the problem is a lack of documentation?13:11
koolhead11hi all13:47
=== KeyGruin is now known as KeyGruin-afk
=== jdstrand_ is now known as jdstrand
sectionmecemc: glad you got it sorted.14:19
cemcsectionme: thanks for the help14:22
=== bladernr_afk is now known as bladernr_
=== dduffey_afk is now known as dduffey
samba35how  to search for .iso  file from some web server15:18
_rubensamba35: try rephrasing your question as it does not make much sense15:23
samba35ok15:25
samba35if i want to download some iso file from abc server but i don't know location of url ,i want to search iso file and download it15:26
BigRedSsamba35: it depends on whether the server offers a means of searching. It's not a standard feature15:26
BigRedSthe web generally revolves around links for which the endpoints are known, it's not searchable like a filesystem15:27
samba35ok15:27
_rubenif said iso is linked from somewhere, google might have found it :)15:27
samba35i tryed that15:29
samba35filetype:iso15:30
SpamapSjamespage: you around today?15:35
mechcozmohello, does anyone here have experience installing OpenCV?15:37
mechcozmoI am trying to get the PHP face detection bindings to work, but every OpenCV guide has been broken or otherwise unhelpful15:38
smbzul, I hate to ask but... is there a good reason for xen in precise being 4.1.2-2ubuntu1 but xen-common being 4.1.0~rc6-1ubuntu2? (I mean mainly the 4.1.<0> compared to <2> part, cause Debians version in testing is 4.1.2-115:47
zulsmb: probably not...i can get that fixed right now15:48
smbzul, Ok, i'd appreciate that before I start complaining about the xendomains script being broken... ;-P15:48
zul:P15:48
zulsmb: uploaded15:50
* smb probably should save of his fixed version in case it is still broken...15:50
smbzul, Ok, I'll wait for that and check again15:50
uvirtbotNew bug: #926468 in openssh (main) "Stopping ssh with a logged in user causes init to spin at 100%" [High,Fix released] https://launchpad.net/bugs/92646816:02
hallynSpamapS: there's an open bug for qemu-kvm, to have qemu-common Replace: qemu, which is only relevant for hardy2lucid upgrades.16:05
hallyni can just mark it fix released (without adding that replaces) and then sru it right?16:05
hallyn(jfdi i say)16:13
SpamapShallyn: hm16:14
SpamapShallyn: bug #?16:14
SpamapShallyn: are you suggesting that its no longer an issue in the main distro? If so, then Invalid would be the appropriate status.16:15
SpamapShallyn: or if it literally already was fixed, then Fix Released16:15
=== Lcawte|Away is now known as Lcawte
hallynSpamapS: <shrug> it's not an issue since qemu is now a meta-package.  sure, invalid it is.  thx16:19
uvirtbotNew bug: #927705 in openvpn (main) "openvpn fail to start at boot" [Undecided,New] https://launchpad.net/bugs/92770516:21
cloudgeekany irc for hosting16:28
cloudgeekguys those using ubuntu server16:28
SpamapShallyn: right, the bug status on the main release is just to signal to us SRU people that the fix doesn't need working on in the dev release.16:30
EvilResistancecloudgeek, i'm not sure i understand your question... what do you mean by "any irc for hosting"?16:30
SpamapScloudgeek: "hosting" is almost as broad as "the cloud"16:30
plmpeople, I will buy a dell server.. R510, I I really not know id memeory single rank is so good than dual rank16:31
plm16GB RAM single rank is teh same price of 32GB RAM dual rank16:31
plmwhat you think?16:31
SpamapShallyn: IMO, all hardy2lucid bugs are High importance.16:39
=== sixstringsg is now known as sixstringsg|away
rbasaksmoser: instead of cache deny for squid.conf hitting an apt mirror, I'm using "refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0;refresh_pattern \/Release(|\.gpg)$ 0 0% 0". It forces squid to check for updates every time, but it will still use the cache if the file hasn't changed. Seems to work and speed things up a bit.16:57
bthefirstsmoser: instead of cache deny for squid.conf hitting an apt mirror, I'm using "refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0;refresh_pattern \/Release(|\.gpg)$ 0 0% 0". It forces squid to check for updates every time, but it will still use the cache if the file hasn't changed. Seems to work and speed things up a bit.16:57
rbasakI would propose a change to orchestra, but not sure if that's worth doing right now.16:58
SpamapSrbasak: lifeless pointed out that this will only work if all RRdns partners return the same Etag/etc.17:00
rbasakthey sync the mtime though, right? If they do, then it'll fail by refreshing, which is the same as a cache deny anyway.17:01
SpamapSrbasak: thats basically the same as must-revalidate , if I understand must-revalidate17:02
rbasakOK17:02
rbasakI think I need to learn more about this17:02
SpamapSrbasak: the mtimes will be the same once all mirrors are up to date, yes. But there are large multi-minute windows where they are not in sync.. which has been the frustration thus far17:03
rbasakI think this needs to be sorted out - by modifying apt if needed. With all the automated installation that's going to be on (juju, cobbler, mass, etc) there needs to be a way to make this work flawlessly.17:03
smoserrbasak, it is definitely worth fixing.17:04
smoser(this is part of the reason i sent the pastebin)17:04
smoserso that someone would say "thats stupid"17:04
smoserhoping that that someone would be lifeless17:04
smoserand he woudl say "this is how you should do it"17:04
SpamapS"The workarounds are either must-revalidate (server side, works but only if all the round-robin mirrors are returning the same ETag and other metadata) or not caching the signed content.17:04
rbasakwell you're doing the same as orchestra-server which I think is sensible17:04
SpamapSI believe cache deny matches the 'not caching the signed content'17:05
smoserso what i might do for my proxy, is to pin to a single mirror17:05
SpamapSsmoser: is there any movement on producing an atomic apt-mirror?17:05
rbasakIs there a bug on this? I'm thinking "apt-get and debootstrap should work flawlessly with http proxies against our mirrors"17:06
smoserbut SpamapS that is the least complicated of the issues.17:06
smoserthe larger issue is the multi-mirror inconsistent.17:06
smoserclearly the single mirror inconsistent is REALLY BAD.17:07
patdk-wkI personally had nothing but issues with squid and pkg caching17:07
patdk-wkswitched to apt-cacher-ng to fix it17:07
smoserbut that problem goes very much away after release, and SRUs taper off...17:07
jacobwhello17:07
smoserpatdk-wk, well, i've seen issues in apt-cacher-ng too, under load.17:07
SpamapSsmoser: indeed, its basically in need of a 2-phase commit17:08
patdk-wksmoser, ya, older apt-cacher-ng I had some issues too, haven't recently though17:08
SpamapSsmoser: build new mirror copy on all mirrors.. when they're all consistent, commit them all at once17:08
jacobwwrt slapd on current lts, how can i find out what rootdn,rootpw,basedn etc the configure scripts have chosen for me?17:08
SpamapSsmoser: rsync --link-dest would work17:08
smoserSpamapS, yeah. it is definitely improvable.17:08
SpamapSFor the client side.. all we can do is retry.17:08
smoserbut i do not know of anyone working on it.17:09
smoserbut for my proxy, i think i'll just pin squid to a single mirror17:09
smoserand then use rbasak's suggestion to cache those if they're valid.17:09
SpamapSsmoser: I'd be reasonably happy with an option for apt-get like --retry-on-inconsistent-mirror17:09
jacobwwithout searching for guessed tree structures name based on current hostname17:09
smoseras a 'apt-get update' is like 22M now.17:09
lifelessoh17:10
lifelesssomeone should really file a bug (if they haven't) about squid rotating between round-robin hosts too much17:10
lifelessor at least there being no knob17:10
rbasakI don't think that's a bug17:10
rbasakI think the bug is that apt+mirror system needs to not break when there's an http-compliant proxy cache in the middle17:11
lifelessthere are valid reasons to want slow rotation in the client17:11
lifelessthat is definitely something we(squid) should support tuning of17:11
rbasakslow rotation would just reduce the error rate.17:11
rbasakthe real solution should result in a zero error rate17:11
lifelessagreed; that requires either apt handling it (by retryign with a max-age 017:12
lifelessor a different disk format17:12
lifelessbecause this error is intrinsic and can happen with no caching present at all17:12
rbasakAm I right in understand that the only intrinsic problem here is if the Release and Packages files don't match, because they conceptually update atomically but we see a skew?17:13
smoseryeah. so no matter what, apt shoudl support retrying17:13
smoseras "Read Release", "Read Packages" is going to result in out of sync at some point17:13
smoserwith increased likelyhood over a slower connection17:14
smoserbut i think that might be getting fixed...17:14
smoserby putting the Release and the Packages in the same file ? or something to that extent in apt.17:14
SpamapSPerhaps the answer long term is that Packages* should be versioned17:14
SpamapSRelease would point to the current version of Packages17:14
smoseryeah, joining them doesn't really help.17:15
SpamapSseems like this would be an easy, backward compatible fix17:18
SpamapSRelease can grow some new bits that don't interfere w/ old versions of apt reading it.17:18
SpamapSThe Packages file can still be updated as a link to the latest version17:18
SpamapSbut new versions of apt will grab the latest versioned Packages file.17:18
lifelessrbasak: no, thats one of the intrinsic issues17:18
lifelessrbasak: there are three;17:19
lifelessa) Foo and Foo.gpg having skew17:19
rbasakthanks17:19
* rbasak is filing a bug on this17:19
smoserrbasak, i'm filing squid bug17:19
lifelessb) chained signed-by-hashes having skew (Release->Packages, Packages->other)17:19
rbasakI was filing an apt bug17:19
adam_grbasak: ping17:19
adam_ger17:19
smoserwe have a open RT for canonical IS regarding "mirrors sometimes/often inconsistent"17:19
adam_groaksoax: ping17:19
smoserrbasak, but please file a "apt should support retry" or something.17:20
lifelessc) garbage collection occuring during slow clients (a special case of b, where the referenced file is a .deb)17:20
lifelessthere are bugs filed17:20
lifelessno need to file dupes17:20
rbasakwhat are the bugs numbers, please? I couldn't find any.17:20
lifelessbug 24234 bug 3350517:20
uvirtbotLaunchpad bug 24234 in apt "apt-get update failing with bad signature. (dup-of: 24061)" [High,Confirmed] https://launchpad.net/bugs/2423417:21
uvirtbotLaunchpad bug 24061 in apt "GPG error with apt-get/aptitude/update-manager behind proxy (BADSIG 40976EAF437D05B5)" [High,In progress] https://launchpad.net/bugs/2406117:21
uvirtbotLaunchpad bug 33505 in apt "BADSIG errors using transparent http proxies" [High,Fix released] https://launchpad.net/bugs/3350517:21
rbasakFix released?17:21
smoserhttps://bugs.launchpad.net/ubuntu/+source/squid3/+bug/92774417:21
uvirtbotLaunchpad bug 927744 in squid3 "rotate around round robin hosts is not configurable" [Undecided,New]17:21
lifelessI haven't checked the change that was made, so can't comment on the appropriateness17:21
lifelessthe IS response to these issues is (reasonably so) to try and mitigate as much as possible17:22
lifelessthe root cause is the apt disk format; a tolerable workaround can be done by apt-get itself in principle (but with limited success as some intercepting (aka transparent) proxies do not honour cache-busting requests.17:22
smoserrbasak, for my proxy, i'll just update /etc/hosts and pin squid to one mirror.17:22
lifelessI have to go, baby needs me17:23
smosercan you give me a suggested squid.conf given that ?17:23
smoserfor reference, the original is at http://paste.ubuntu.com/831432/17:23
Pici5817:24
rbasaksmoser: OK, I reckon then http://paste.ubuntu.com/831618/17:25
lifelesssmoser: just putting the host that apt is using in the hosts file should be enough17:25
smoserlifeless, right.17:25
smoserbut then i want to have it cache, and currently it denies all of those.17:25
lifelessfor the refresh pattern thing; mm, I'm not sure it will dtrt, but I can't dig into it now. syntax error on that alt config btw - RELEASE isn't defined17:26
lifelessgive it a go, your test bed should show it up fairly quickly17:26
rbasaksmoser: oops, remove line 4717:26
smoserrbasak, so it would seem that deny is no better than your solution for orchestra, right?17:31
smoserand we might as well have yours.17:31
uvirtbotNew bug: #927744 in squid3 (main) "rotate around round robin hosts is not configurable" [Undecided,New] https://launchpad.net/bugs/92774417:31
smosererr.. deny is definitely worse (caches less) and does  not improve or worsen the inconsistent issue17:31
rbasaksmoser: I believe so, yes. But without a /etc/hosts pin, I was still getting mirror errors, so I didn't propose a change.17:32
smoserrbasak, well, there are still 2 issues..17:32
smosera.) host actually inconsistent (non-atomic update)17:32
smoserb.) apt general issue even in perfectly atomic archive update17:32
smoserbut you were probably hitting 'a'17:32
rbasakYes, I think so17:33
smoserwhich does happen, and i had a script running, and saw that number to be 1 or 2 % of my attempts17:33
smoseron precise17:33
smosersomething on that order... way too high. but it largely goes away after release (when archive is less active)17:33
smoserso we should prpose the change.17:33
rbasakSo in the automated testing I've been doing, since Thursday night, I've had: 923 successful installs, two unknown (timeouts), 1 kernel oops, 26 debootstrap failures, 19 other what I think are mirror failures, 3 kernel panics, and 67 of another type of what I think are mirror failures.17:36
rbasakSo ignoring the other problems, I believe I have a 4% installation failure rate due to some kind of mirror skew.17:37
rbasakThat's using my proposed squid.conf, though no pinning of mirror on my squid host (which I've just added)17:37
smoserrbasak, https://bugs.launchpad.net/ubuntu/+source/orchestra/+bug/92775017:39
uvirtbotLaunchpad bug 927750 in orchestra "orchestra squid config should not deny apt packages" [Undecided,New]17:39
smoserrbasak, if you pinn, you will really decrease your failure rate on apt17:40
smoserand if you pin to one of the "new mirrors" you'll further decrease17:40
rbasaksmoser: I'm just restarting my statistics. I'll let you know :-)17:40
smoser(ie, older mirrors just slower hardware and rsync slower)17:40
rbasakWhich is a "new mirror"?17:40
smoseri dont know. .17:40
smoser:)17:40
smoseri think actually, they may have removed those recently.17:42
smoserbut from  bad memory, i might suggest not selecting17:42
smoser 31.88.189.91.in-addr.arpa domain name pointer leningradskaya.canonical.com.17:42
smoserand instead, pick one of them that is in http://paste.ubuntu.com/831636/ multiple times.17:44
smoseri picked cursa17:44
Vexianthttps://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration17:45
VexiantI need help with the DNS caching part17:45
Vexiantcan anyone help me?17:46
=== starlocke is now known as Guest82915
rbasaksmoser: thanks, I'll also use cursa for consistency in case we have issues later17:49
rbasaksmoser: interestingly cursa is one after ports of which there is only one17:49
rbasakActually, that's a point. I've been using ports, of course, so I shouldn't been having the hitting two different mirrors problem at all.17:50
smoserhm..17:50
smoseri dont know.17:50
smosermaybe the ports are just slower ?17:50
smosermaybe that host is slow and thus open more so to single-inconsistency issues.17:51
acidflashhi everyone17:51
acidflashping: sendmsg: Operation not permitted <-- i am getting this message occasionally, i have googled it, but i dont have ipmasq or anything in iptables which might cause that problem17:52
acidflashit is happening when i get really high loads on my network card (ie: about 10,000 packets @ 70 Mb)17:52
sectionmeacidflash: sounds like your trying to do something that requires root, eg. ping -f17:52
acidflashany ideas or suggestions?17:52
acidflashi am logged in as root sectionme17:52
* sectionme srugs sholders17:53
cwillu_at_workacidflash, I'm going to go with "prove it" :p17:53
Vexiant<Vexiant> https://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration17:54
Vexiant* ahasenack (~andreas@200.146.81.216.dynamic.adsl.gvt.net.br) has joined #ubuntu-server17:54
Vexiant<Vexiant> I need help with the DNS caching part17:54
Vexiant<Vexiant> can anyone help me?17:54
acidflashcwillu_at_work: im not sure what you mean ?17:54
cwillu_at_workacidflash, as a general rule of troubleshooting, when somebody tells you "I'm pretty sure", you shouldn't be surprised if the opposite ends up being the case17:56
cwillu_at_workthat said17:56
cwillu_at_workI'm apparently incapable of reading english today17:57
cwillu_at_workcould have swore that "<acidflash> i am logged in as root sectionme" was "<acidflash> i am logged in as root sometimes"17:57
acidflashcwillu_at_work: hehe :)17:57
cwillu_at_workacidflash, can you provide the exact command line you're using, and any other relevant details? :p17:57
acidflashsure17:57
acidflashubuntu 10.0417:58
acidflashubuntu-server*17:58
acidflashi am using this as a caching server17:58
acidflash10.04 -> one of the network cards is a gigabit pci-express card17:58
acidflashthere is about 10K Packets @ about 70 Mb traffic17:58
acidflashiptables is just redirecting any incoming connection to port 312817:59
acidflashnothing else running except openssh and the server software17:59
cwillu_at_workcan you provide the exact command line you're using,17:59
acidflashyes17:59
acidflashping xx.xx.xx.xx17:59
acidflash:)17:59
* cwillu_at_work is unimpressed18:00
acidflashno switches or parameters18:00
acidflashwill occasionally go from <1 to 1.x ms18:00
acidflashand then it will give: ping: sendmsg: Operation not permitted18:00
acidflashfor a few times, then it works again18:00
cwillu_at_workare you pinging an ip or a hostname?18:01
cwillu_at_workand is it ipv4 or v6?18:01
acidflashipv418:01
acidflashand its an ip18:01
cwillu_at_workwhat do you mean precisely by "iptables is redirecting any incoming connection to port 3128"?18:02
acidflashi can show you18:02
acidflash1 min18:02
acidflash/sbin/iptables -I PREROUTING -t nat -p tcp --dport 80 -i ${local} -j REDIRECT --to 312818:02
acidflash/sbin/iptables -A PREROUTING -t nat -j MASQUERADE18:02
cwillu_at_workacidflash, pastebin is good18:02
acidflashsorry,18:02
acidflashyour right18:02
cwillu_at_work(for one thing, it allows me to continue to see these things after they've scrolled off the top)18:02
acidflashokie yes18:02
cwillu_at_workacidflash, can you pastebin the output of iptables --list-rules?18:03
acidflashhttp://pastebin.com/CQ9kA6BF18:03
acidflashyes18:03
acidflashhttp://pastebin.com/pfWEVcPf18:04
cwillu_at_workacidflash, iptables --list is as empty?18:06
acidflashhttp://pastebin.com/rUquhzhi18:06
=== sixstringsg|away is now known as sixstringsg
roaksoaxsmoser: bug #927750 IIRC, doing so created cache errors18:08
uvirtbotLaunchpad bug 927750 in orchestra "orchestra squid config should not deny apt packages" [Undecided,New] https://launchpad.net/bugs/92775018:08
cwillu_at_workacidflash, and what address are you pinging?18:09
acidflashmy gateway18:09
cwillu_at_workloopback?  address of the machine?  other machine on the same segment?18:09
cwillu_at_workk18:09
=== sixstringsg is now known as sixstringsg|away
smoserroaksoax, there are caching errors, but it seemed to those present here in that discussion that they would not be worsened by this.18:11
smoserhm...18:11
cwillu_at_workacidflash, sorry, my iptables is rusty18:14
zuladam_g: just as a heads up ill be merging some of the debian keystone changes (dbconfig changes mostly) this week18:14
acidflashits ok18:14
cwillu_at_workacidflash, can you do iptables --list-rules -t nat18:14
cwillu_at_work(important -t there :p18:14
cwillu_at_workacidflash, and on a similar note, does it work before you add those rules?18:14
adam_gzul: cool18:15
acidflashit worked fine before and after, the only thing that increased was the traffic18:15
acidflashit wasnt that much before18:15
acidflashabout 5-6K packes18:15
acidflashpackets18:15
acidflashhttp://pastebin.com/F5jYwLhv18:15
roaksoaxsmoser: right, but caching those files kinda broke the cache various times IIRC, forcing us to clear the cache, and restart squid18:15
smoserright.18:16
smoseryeah.18:16
smoserthat sucks.18:16
smoserso you just cache a broken state, which is not good.18:16
roaksoaxexaclty18:17
smoserbut it still should resolve itself as the etag shoudl only go forward18:17
smoserso you'd just be stuck until the mirrors were in a consistent state.18:17
smoserdpm18:17
smosers/dpm//18:17
smoserdon't you think?18:17
roaksoaxsmoser:  yeah, which caused some of the problems we experienced before18:18
smoserroaksoax, but only sort of.18:18
rbasakYeah, I think it'll be fine unless the mtime appears to go backwards18:18
smoserbecause if you're saying "not caching anything made it better"18:18
smoserthat simply can't be true18:18
roaksoaxsmoser: i'm not aggains commiting your fix, but rather, ifproblems show back again, then we can simply revert changes18:18
smoserhm..18:19
smoseryeah.18:19
smoseryeah.18:19
smoserthere are lots of issues at play here.18:19
roaksoaxindeed18:19
smoserand unfortunately it doens't look like they're all going to be fixed at once18:19
smoser(or even by 12.04 release)18:19
rbasakroaksoax: by default, squid will cache a file for some period of time before checking to see if it has been updated upstream. It sounds like this is what was biting you. So you can either set squid never to cache the file, or to check it against the mirror every time. This change will make it check against the mirror every time. I'm not sure there is a situation where the check will return that the cached file can be served even though a newer one18:20
rbasak is available on the mirror, and if this is true then this change is safe.18:20
cwillu_at_workacidflash, double check that ipmasq isn't installed?18:21
cwillu_at_work(or rather, the binary isn't there)18:21
cwillu_at_workacidflash, can you post lspci?18:22
acidflashyes18:22
acidflashhttp://pastebin.com/ZT3TdVyB18:23
cwillu_at_workacidflash, http://lists.danga.com/pipermail/memcached/2006-September/002726.html seems to show the same symptoms, but there's no resolution there, or any real details beyond the "ping fails under load" thing18:24
cwillu_at_workacidflash, and which interface is the one where things stop working?18:24
cwillu_at_workthe realtek or the marvell?18:24
acidflashvia gigabit pci-x18:24
acidflashahh i dont see it in the list18:25
acidflashlet me find it, 1 min18:25
cloudgeekany webshoter here18:25
acidflashyeah its the realtek18:26
roaksoaxrbasak: sure, I don't really mind merging the fix, what I'm saying is that if I come accross the nasty issues seen during the oneiric cycle, it will be merged back to original18:26
cwillu_at_workacidflash, what's the current value of /proc/sys/net/ipv4/ip_conntrack_max, if you have such a key?18:26
acidflashi dont, but i can show you if you want my sysctl parameters18:26
rbasakok, fair enough18:26
cwillu_at_workacidflash, just cat /proc/sys/net/ipv4/ip_conntrack_max18:26
acidflashthey are injust to the system18:26
acidflashok18:26
roaksoaxrbasak: cool then ;)18:27
acidflashno such file or directory18:27
cwillu_at_workacidflash, mind pastebinning the output of dmesg?18:28
acidflashsure18:29
cwillu_at_work(note that this may include your ip address :p)18:29
acidflashcwillu_at_work: no problem, anything specific you want to see in dmesg or do you just want me to do a straight forward dmesg?18:29
cwillu_at_workwhole thing please18:29
cwillu_at_workI'm just on a fishing expedition at the moment18:29
acidflashokie18:30
acidflashjust a moment pastebin is under heavy load at the momeny, pastebinit cant create a link18:31
acidflashhttp://pastebin.com/F55DnnS318:31
cwillu_at_workacidflash, I think we have a winner18:32
cwillu_at_worknf_conntrack: table full, dropping packet18:32
acidflashcwillu_at_work: okie, kernel overload you think ?18:32
kerframiljust as an aside, that path might not be right (in recent kernels anyway). sysctl -n net.netfilter.nf_conntrack_max should be reliable.18:32
cwillu_at_workkerframil, thanks18:32
cwillu_at_workacidflash, ^^18:32
acidflashaha, so its the kernel not the card dropping the packets?18:33
cwillu_at_workwhat does sysctl -n net.netfilter.nf_conntrack_max  say?18:33
acidflash6553618:34
cwillu_at_workand net.netfilter.nf_conntrack_count?18:34
acidflash6550218:34
kerframilouch18:34
acidflashi think im starting to understand why18:35
acidflashthats the maximum amount of open tcp sessions ?18:35
cwillu_at_workacidflash, what sort of load is on the machine?18:35
acidflashand how much i currently hoave?18:35
kerframilacidflash: that can be handled by the connection tracking system in netfilter (not just tcp either)18:35
acidflashits a caching server serving around 5000 users18:35
acidflashcaching proxy18:35
cwillu_at_workacidflash, yes, although I think it's actually "things that it's tracking", not necessarily just tcp18:35
acidflashmm18:35
acidflashokie can i increase the conntrack_max number in sysctl?18:37
acidflashor is that not recommended18:37
kerframilacidflash: yes. see also /etc/sysctl.conf.18:37
acidflashokie i thought so18:37
kerframilacidflash: acidflash: if you actually need connection tracking, just increase the limit and keep an eye on the count in future. you can also use the 'RAW' table in netfilter to except some connections from connection tracking (I do this for traffic to and from LAN subnets, not being forwarded).18:37
kerframiloops, sorry for double nick18:37
acidflashkerframil: the second option sounds like something worth reading about, can you point me somewhere ?18:38
acidflashand yes i am going to see the value in sysctl to something larger18:38
kerframilacidflash: googling will turn up some stuff, as will the man page. I can give you a direct example.18:38
acidflashokie, ill do18:38
kerframilhttp://dpaste.com/698479/18:39
acidflashi think i am going to set that conntrack_max to about 200,00018:39
kerframilin my case, $local_net contains "10.0.0.0/16". the important thing is never to use this trick for packets being forwarded - otherwise you can end up in hot water.18:39
kerframilthat's why -s and -d are the same there18:40
acidflashaha18:40
kerframilas for conntrack_max, please use a power of 2. if you increase it to something significant (like I do), consider changing the bucket size. moment.18:40
acidflashkerframil: okie, but apparently it cant be set in the sysctl.conf18:41
acidflashcouldnt be in 2007, not sure about now though, im reading18:41
kerframilacidflash: conntrack_max?18:42
acidflashyes18:42
acidflashno it seems you can18:42
acidflashi think that article is just old18:42
kerframilacidflash: http://rackerhacker.com/2008/01/24/ip_conntrack-table-full-dropping-packet/#comment-1540918:43
acidflashyah i was reading that :D18:43
kerframilacidflash: very good comment there18:43
kerframilacidflash: I have conntrack max at 2^21 (2 million) and have changed the hashsize to maintain a bucket depth of 418:44
acidflashkerframil: thats a great article thanks alot for the help..18:44
acidflashI am going to read it and make some changes18:44
acidflashif i have any more problems, ill be back, but in the mean time thanks a lot for your help guys18:44
kerframilacidflash: also worth bearing mind is that the default period for a TCP connection being reaped within conntrack is a week18:49
kerframilacidflash: net.netfilter.nf_conntrack_tcp_timeout_established18:50
acidflashkerframil: my software normally times out after 60 seconds, do you think i should set it in sysctl as well?18:51
kerframilacidflash: I would say that's far too short. this determines after which time conntrack considers a TCP connection as dead after it has been established but where it is inactive (no traffic seen)18:52
kerframilacidflash: I use 24 hours, if you want a benchmark18:52
kerframilthe being established part is obviously done through the initial SYN and the three way handshake. but, in my case, I don't want inactive connections to clog up the table for a whole week.18:53
RoyKcan some smart-guy out there explain to me where the libpng.so binary file may reside? http://paste.ubuntu.com/831720/18:58
pmatulisRoyK: you want to find the file on your filesystem?19:05
koolhead17netsplit19:05
JanCRoyK: what ubuntu version?19:05
=== Myrtti is now known as Guest98157
JanCif you are using 11.10, it's probably located in /lib/x86_64-linux-gnu/libpng12.so.0.46.019:09
JanCif you are looking for the real file and not the symlinks used for compatibility19:10
uvirtbotNew bug: #927805 in cloud-init (main) "t1.micro instance defect after dist-upgrade" [Undecided,New] https://launchpad.net/bugs/92780519:11
uvirtbotNew bug: #927808 in nova (main) "nova-compute fails to attach volumes: FileNotFound: File /etc/iscsi/initiatorname.iscsi could not be found." [Undecided,New] https://launchpad.net/bugs/92780819:11
RoyKJanC: lucid - it was under /lib19:13
* RoyK wonders wtf such libs are placed under /lib and not /usr/lib19:13
SpamapSRoyK: because the boot splash uses it19:16
RoyKah19:18
JanCRoyK: right, lucid didn't have multiarch yet  ☺19:20
RoyKnope, it doesn't19:20
RoyKbut I don't use anything non-lts for servers...19:20
JanC12.04 LTS will have multiarch19:21
RoyKyeah19:21
JanCwhich is very cool  ☺19:21
RoyKso I guess I'll move to that when 12.04.1 is released19:21
RoyK(which is, IIRC, the default upgrade path)19:21
JanCAFAIK it is19:22
RoyKperhaps upgrade the compute nodes first - some of those scientists are rather greedy on new versions...19:22
JanCRoyK: if new versions improve compute time significantly, I can understand19:24
RoyKnot really, but they come with new versions of scipy/numpy19:25
JanCalthough in most cases improving algorithms is likely to help a lot more19:25
JanCwell, I guess upgrading those on an LTS should be possible too (maybe providing them through -backports)19:26
RoyKJanC: or, as we do, compile them in a separate tree and just use whatever versions needed19:27
JanCright19:27
JanCalthough having them available in some repository would be nice19:27
JanCprovided scientist organisations want to cooperate on that...   :P19:28
RoyKnot really, better keep a baseline for most and let those in desperate need for the latest and hottest and hippest compile their own in a shared folder somewhere19:28
RoyKthere's a "scientific linux", which should be rather well updated, but, being redhat-based, I don't want to touch it19:30
_johnnyhi. any gdb users? i used to have a cmd which gdb would evaluate every time it breaks. like "x/s $eax" and such. i can't see *watch doing this. am i making this up, or? :)19:30
hallynDaviey: for adding a (lxc) section to ubuntu server guide.  there is no 12.04 server guide yet.  is there a staging area for it?  Or should i start with a basic (oneiric-relevant) section in the 11.10 server guide, and just wait to add the precise bits?19:49
skyler_Hi, does anyone know how to raise the virtual memory limit?19:52
SpamapSskyler_: what do you mean by "the virtual memory limit" ?19:54
skyler_When I try to compile anything, I get: "virtual memory exhausted: Cannot allocate memory"19:55
skyler_so (as suggested by google) I ran ulimit -v 2000019:55
skyler_and now I can't even run ls19:55
skyler_and I can't raise the limit back to what it was19:56
VexiantI need help19:56
Vexianthttps://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration19:56
Vexiant"The default configuration is setup to act as a caching server. All that is required is simply adding the IP Addresses of your ISP's DNS servers. Simply uncomment and edit the following in /etc/bind/named.conf.options:"19:56
Vexiantcan someone help me?19:56
Davieyhallyn: can i answer that tomorrow?  I need to check in the docs team (and other matters.)19:57
adam_groaksoax: pign19:57
hallynstgraber: now, emitting the net-device-up for lo in lxcguest for oneiric+precise won't hurt anything right?  ( seems not worth checking the container release before emitting)19:59
hallyn(re bug 924337)19:59
uvirtbotLaunchpad bug 924337 in lxc "lxc on precise is not working with lucid containers (container does not reach runlevel 2)" [High,Fix released] https://launchpad.net/bugs/92433719:59
stgraberhallyn: should be safe indeed20:00
hallynthx20:00
roaksoaxadam_g: pong20:01
VexiantI see that everyone else can get help other than me20:02
hallynhm, i suppose lp:~serge-hallyn/+junk/lxc-test could be turned into a lxctest package residing in lxc source pkg....20:02
hallyn(not today)20:03
adam_groaksoax: is there any way to limit the number of concurrent requests cobbler makes to power management?20:03
adam_groaksoax: for whatever reason, that CDU in the CI lab is slowing down and requests sometimes get lost if the CDU is busy handling 5 other calls20:04
roaksoaxadam_g: i don't think there's a way to do that in cobbler20:04
roaksoaxadam_g: maybe, the CDU's configuration provides a way to control concurrent requests for that matter20:05
hallynjodh: /etc/init/lxcmount.conf currently emits 'mounted MOUNTPOINT=/run'.  (will stop soon).  but it doesn't have an 'emits mounted' at top.  What will go wrong?20:05
adam_groaksoax: couldn't find anything. might create some little daemon to queue and dispatch requests accordingly, cobbler can just call that instead20:06
roaksoaxadam_g: maybe that would be a good improvement within cobbler20:07
roaksoaxs/within/for20:07
adam_groaksoax: or the fence agents libraries20:08
JanChallyn: "emits ..." is only documentation, so nothing should go wrong?20:09
JanC(or did I miss something)20:09
roaksoaxadam_g: or that too, but maybe, could it be a bug within the cdu agent itself? maybe it its not correctly closing the connections to the cdu20:13
* roaksoax brb20:14
adam_groaksoax: thats all handled by the fencing.py library (which is a bit of a mess, IMHO)20:15
hallynJanC: thanks, that's what i was wondering.20:19
hallynesp whether some automated tools might miss out on possible event paths...20:19
JanChallyn: there might be automated tools depending on this documentation of course, but not in default Ubuntu AFAIK20:27
JanCI mean, everybody can write a script depending on that without knowing it's not mandatory20:28
roaksoaxadam_g: most likely lol!20:29
hallynnaturally :)20:30
hallynstgraber: do you see any issue with http://people.canonical.com/~serge/lxc_0.7.5-3ubuntu18.dsc?  (It seemed best to add the emit to a new 'start' section rather than the pre-start script...)20:33
hallynoops20:33
hallynmeant http://people.canonical.com/~serge/lxc.debdiff20:33
stgraberhallyn: hmm, this looks wrong, different code path as what we have starting with oneiric/precise20:35
stgraberhallyn: you should either do "ifup --allow auto lo" or emit net-device-added20:36
uvirtbotNew bug: #927863 in lxc (main) "container reboot patch broke clean lxc-execute exits" [Medium,Confirmed] https://launchpad.net/bugs/92786320:36
stgraberhallyn: emitting net-device-up bypasses ifupdown and all the scripts in /etc/network/* which doesn't seem right20:37
stgraberhallyn: "initctl emit net-device-added INTERFACE=lo" should give you the same thing as you'd get from udev on a regular system20:38
hallynhm, ok, yeah.  i think that's what i originally did during natty cycle.  thanks.20:40
hallynstgraber: you think i should do -n there?20:41
hallynprobably not.20:41
stgraberhallyn: I'd recommend the -n otherwise you'll end up stuck there until the whole list of dependencies has been processed and all these jobs are started20:47
stgraberwhich in this case, should only be network-interface.conf but well, probably still a good idea20:47
hallynnotes that lxcmount.conf doesn't do -n.  i suppose i shoudl add it?20:49
=== robbiew1 is now known as robbiew
=== KeyGruin-afk is now known as KeyGruin
uvirtbotNew bug: #927883 in lxc (main) "lxc-execute fails due to missing /dev/shm" [High,Confirmed] https://launchpad.net/bugs/92788321:05
uvirtbotNew bug: #927887 in rabbitmq-server (main) "package rabbitmq-server 2.6.1-1ubuntu4 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/92788721:11
=== dduffey is now known as dduffey_afk
=== dduffey_afk is now known as dduffey
=== dduffey is now known as dduffey_afk
kirklandjcastro: ping23:18
mgwpong23:18
mgwoh sorry, didn't see jcastro part23:18
mgw:-)23:18
StrangeCharmI backed up my secring, exported my primary key (& its subkeys) to a file, then made changes to the subkeys. I deleted some of my encryption subkeys, but not to worry, because I have backups! However, I seem get GPG to re-import the sub-keys. When import the key file, it's all like "Oh, I already have that master key, so I don't need to worry about its subkeys." I want those subkeys back in my main key, how do I fix it?23:28
hallynstgraber: any complaints from you if I switch lxc over to upstart?23:35
hallynWe might end up missing new features in Debian as a result...23:36
hallynman apt-cacher-ng is really messed up23:48
stgraberhallyn: no complaint, just make sure the start condition works for most use cases (at least wait for local-filesystems, possibly for more)23:49
hallynstgraber: i'd probably do "start on (runlevel [2345] and stopped networking RESULT=ok)" like libvirt does23:50
hallynwhich, actually, i thought i changed that in libvirt23:50
chelzdoes anyone or has anyone heard of various runlevels actually being used?23:51
hallynthought that had been set to 'static-network-up'23:51
=== koolhead17 is now known as koolhead17|zzZZ
stgraberhallyn: RESULT=ok for networking is risky23:53
stgraberhallyn: networking is meant as a fallback for interfaces that can't be brought up by events, so someone making a typo in some of these interfaces would prevent your job from starting ...23:53

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!