[03:58] <Thermionix> yo, quick question - I setup 12.04 server alpha 2 the other day, and it has linux-image-3.2.0-12-generic instead of linux-image-server
[03:59] <patdk-lap> yep
[04:01] <Thermionix> is that meant to be?
[04:18] <dravekx> I'm trying to setup a bash script to add user accounts. I think I'm doing it wrong. anyone give me a hand? http://pastebin.com/28VkfHNL
[04:18] <twb> Thermionix: the latter probably depends on the former
[04:19] <twb> dravekx: yes, that is wrong
[04:20] <twb> Second line should be "adduser $i sftponly".
[04:20] <dravekx> ah
[04:20] <twb> You should have a set -e and a trap to report it, so that the script will abort on errors instead of carrying on regardless.
[04:20] <twb> set -eEu; set -o pipefail; trap 'echo >&2 "$0: unknown error"' ERR
[04:21] <twb> Line (4) should probably be an argument to the first adduser
[04:21] <twb> Lines 6 through 8 should be an install(1) call, and line (5) should probably be recursive.
[04:22] <twb> You should also ensure that e.g. PHP evaluation is disabled in such users' public_html dirs
[04:22] <twb> Oh, and htaccess, although IIRC that is off in the default configuration for those dirs
[04:23] <twb> Further discussion should be directed to #bash (for scripting) and #httpd (for apache httpd).
[04:23] <dravekx> I need php in userdirs. they have php apps. :S
[04:23] <twb> dravekx: they should probably have separate jails then
[04:23] <twb> dravekx: talk to the #httpd people about best practice; my policy is simply "no PHP on my system at all"
[04:23] <dravekx> they are jailed in the public_html folders.
[04:24] <dravekx> k
[04:24] <twb> dravekx: SSH is but not http, I expect
[04:24] <twb> i.e. they write and upload a PHP program, that PHP program when run won't be jailed by the sshd_config
[04:24] <dravekx> ah really? I didn't know that.
[04:25] <dravekx> lots to learn then. lol.
[06:57] <Thermionix> anyone think its worth setting up mcelog? running a c2d processor kernel 3.2 x64
[07:03] <sectionme> Anyone know of an options for nfs exports to allow nesting of mounts on the server-side, eg. /exports/work/{project1,project2,project3} which say project2 is on a different mount point, currently it gets exported as the empty directory as if it wasn't mounted, nohide doesn't seem to solve the issue.
[07:23] <renagadexx> I can't get a stupid damn subdomain to work with apache2. I've added virtual hosts to httpd.conf and I'm pretty sure the DNS is configured properly, but I keep getting 500 errors every time I go to the subdomain.
[07:23] <renagadexx> Any ideas why?
[07:23] <twb> Thermionix: IME no
[07:24] <greppy> renagadexx: anything in the logs?
[07:24] <renagadexx> yeah, want me to pastebin?
[07:27] <renagadexx> greppy: Let me paste. It may have something to do with pywebsocket...
[07:28] <cemc> hi. I have a 6core AMD Opteron server (HP DLXY G6), 16GB RAM. I've installed a 10.04.3 LTS 64bit on it, and then I installed a CentOS 6.2 64bit in a vm in KVM.
[07:28] <cemc> I have a constant 0.2-0.3 load on the host, but the vm is not doing anything at all.
[07:29] <cemc> http://pastebin.ubuntu.com/831053/ - this is the host, sorted by TIME column. that kvm is the only one running
[07:30] <cemc> http://pastebin.ubuntu.com/831056/ - this is the vm, also sorted by TIME
[07:30] <greppy> renagadexx: yeah, that's not apache that's having the problem, it looks like your python bits are the problem.
[07:31] <cemc> is there anything I should know about or tweak maybe, to not get this load. I mean if I start multiple VMs and I'll have 1+ load while idle, that's no fun
[07:31] <renagadexx> chill...I'll add handlers for the subdomain and see what happens!
[07:32] <sectionme> cemc: what kind of disk are you using for your guest? img/cow/cow2/etc or lvm? I've noticed load on my hosts using img over lvm.
[07:32] <cemc> sectionme: LVM
[07:33] <cemc> sectionme: should there be this much load with the vm idling?
[07:35] <sectionme> cemc: have you tried using kvm_stat?
[07:36] <cemc> sectionme: nope, I'm trying it now, thanks. anything else?
[07:37] <sectionme> cemc: could always try cloning your guest and starting that up also, see if theres an increase in load or if it remains the same on the host. I don't have any unloaded hosts here to try on myself, so can't help all that much more.
[07:38] <cemc> sectionme: alright, thanks for the tips anyway
[07:41] <sectionme> cemc: one thing that springs to mind is the kernel that the guest is running, eg. is it tickless? is it the eqiv. of -virtual?
[07:43] <cemc> sectionme: I don't think so, it's the default centos 6.2 one. but the strange thing is, this same vm doesn't cause load on a centos 6.2 host with kvm
[07:43] <cemc> sectionme: how can I check the tickless part?
[07:45] <sectionme> cemc: that is a little strange, for the kernel config, it might be under /proc/config.gz depending on the kernel build.
[07:47] <sectionme> cemc: Btw have you tried asking in #kvm? They _should_ know better :)
[07:55] <renagadexx> greppy: well shit, mod python isn;t playing nice
[07:56] <renagadexx> its comlaining there is no _path
[07:56] <cemc> sectionme: I will, thanks!
[08:14] <jasonmsp> hey all.. Im in the process of learning git and came up with a tutorial that is looking for gitk..  Since im sshd into the server I don't have a graphical interface, nor do I want to.  What is the alternative to gitk for a command line view?
[08:19] <greppy> jasonmsp: just... git?
[08:23] <sectionme> jasonmsp: http://stackoverflow.com/questions/1570535/guide-to-understanding-gitk explains some-what the commands gitk uses from git to display the information it does.
[08:24] <jasonmsp> thx
[09:40] <cemc> sectionme: seems like it was the usb/tablet 'hardware' I had enabled. after I removed it, load got back to 0.00
[09:49] <Daviey> Buenos días a todos
[10:12] <lynxman> morning o/
[10:12] <lynxman> Daviey: buenos dias señor
[10:22] <jasonmsp> hey all.  Anyone know how to view what files will change before doing a git merge?  git diff remote/master seems to be showing the actual changes.  I just want to see what files will be changed.
[13:10] <jdstrand_> Psi-Jack: er apparmor documentation> have you seen https://wiki.ubuntu.com/AppArmor. it has links to man pages, server guides, upstream documentation and tutorials, etc
[13:11] <pmatulis> Psi-Jack: so the problem is a lack of documentation?
[13:47] <koolhead11> hi all
[14:19] <sectionme> cemc: glad you got it sorted.
[14:22] <cemc> sectionme: thanks for the help
[15:18] <samba35> how  to search for .iso  file from some web server
[15:23] <_ruben> samba35: try rephrasing your question as it does not make much sense
[15:25] <samba35> ok
[15:26] <samba35> if i want to download some iso file from abc server but i don't know location of url ,i want to search iso file and download it
[15:26] <BigRedS> samba35: it depends on whether the server offers a means of searching. It's not a standard feature
[15:27] <BigRedS> the web generally revolves around links for which the endpoints are known, it's not searchable like a filesystem
[15:27] <samba35> ok
[15:27] <_ruben> if said iso is linked from somewhere, google might have found it :)
[15:29] <samba35> i tryed that
[15:30] <samba35> filetype:iso
[15:35] <SpamapS> jamespage: you around today?
[15:37] <mechcozmo> hello, does anyone here have experience installing OpenCV?
[15:38] <mechcozmo> I am trying to get the PHP face detection bindings to work, but every OpenCV guide has been broken or otherwise unhelpful
[15:47] <smb> zul, I hate to ask but... is there a good reason for xen in precise being 4.1.2-2ubuntu1 but xen-common being 4.1.0~rc6-1ubuntu2? (I mean mainly the 4.1.<0> compared to <2> part, cause Debians version in testing is 4.1.2-1
[15:48] <zul> smb: probably not...i can get that fixed right now
[15:48] <smb> zul, Ok, i'd appreciate that before I start complaining about the xendomains script being broken... ;-P
[15:48] <zul> :P
[15:50] <zul> smb: uploaded
[15:50]  * smb probably should save of his fixed version in case it is still broken...
[15:50] <smb> zul, Ok, I'll wait for that and check again
[16:05] <hallyn> SpamapS: there's an open bug for qemu-kvm, to have qemu-common Replace: qemu, which is only relevant for hardy2lucid upgrades.
[16:05] <hallyn> i can just mark it fix released (without adding that replaces) and then sru it right?
[16:13] <hallyn> (jfdi i say)
[16:14] <SpamapS> hallyn: hm
[16:14] <SpamapS> hallyn: bug #?
[16:15] <SpamapS> hallyn: are you suggesting that its no longer an issue in the main distro? If so, then Invalid would be the appropriate status.
[16:15] <SpamapS> hallyn: or if it literally already was fixed, then Fix Released
[16:19] <hallyn> SpamapS: <shrug> it's not an issue since qemu is now a meta-package.  sure, invalid it is.  thx
[16:28] <cloudgeek> any irc for hosting
[16:28] <cloudgeek> guys those using ubuntu server
[16:30] <SpamapS> hallyn: right, the bug status on the main release is just to signal to us SRU people that the fix doesn't need working on in the dev release.
[16:30] <EvilResistance> cloudgeek, i'm not sure i understand your question... what do you mean by "any irc for hosting"?
[16:30] <SpamapS> cloudgeek: "hosting" is almost as broad as "the cloud"
[16:31] <plm> people, I will buy a dell server.. R510, I I really not know id memeory single rank is so good than dual rank
[16:31] <plm> 16GB RAM single rank is teh same price of 32GB RAM dual rank
[16:31] <plm> what you think?
[16:39] <SpamapS> hallyn: IMO, all hardy2lucid bugs are High importance.
[16:57] <rbasak> smoser: instead of cache deny for squid.conf hitting an apt mirror, I'm using "refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0;refresh_pattern \/Release(|\.gpg)$ 0 0% 0". It forces squid to check for updates every time, but it will still use the cache if the file hasn't changed. Seems to work and speed things up a bit.
[16:57] <bthefirst> smoser: instead of cache deny for squid.conf hitting an apt mirror, I'm using "refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz)$ 0 0% 0;refresh_pattern \/Release(|\.gpg)$ 0 0% 0". It forces squid to check for updates every time, but it will still use the cache if the file hasn't changed. Seems to work and speed things up a bit.
[16:58] <rbasak> I would propose a change to orchestra, but not sure if that's worth doing right now.
[17:00] <SpamapS> rbasak: lifeless pointed out that this will only work if all RRdns partners return the same Etag/etc.
[17:01] <rbasak> they sync the mtime though, right? If they do, then it'll fail by refreshing, which is the same as a cache deny anyway.
[17:02] <SpamapS> rbasak: thats basically the same as must-revalidate , if I understand must-revalidate
[17:02] <rbasak> OK
[17:02] <rbasak> I think I need to learn more about this
[17:03] <SpamapS> rbasak: the mtimes will be the same once all mirrors are up to date, yes. But there are large multi-minute windows where they are not in sync.. which has been the frustration thus far
[17:03] <rbasak> I think this needs to be sorted out - by modifying apt if needed. With all the automated installation that's going to be on (juju, cobbler, mass, etc) there needs to be a way to make this work flawlessly.
[17:04] <smoser> rbasak, it is definitely worth fixing.
[17:04] <smoser> (this is part of the reason i sent the pastebin)
[17:04] <smoser> so that someone would say "thats stupid"
[17:04] <smoser> hoping that that someone would be lifeless
[17:04] <smoser> and he woudl say "this is how you should do it"
[17:04] <SpamapS> "The workarounds are either must-revalidate (server side, works but only if all the round-robin mirrors are returning the same ETag and other metadata) or not caching the signed content.
[17:04] <rbasak> well you're doing the same as orchestra-server which I think is sensible
[17:05] <SpamapS> I believe cache deny matches the 'not caching the signed content'
[17:05] <smoser> so what i might do for my proxy, is to pin to a single mirror
[17:05] <SpamapS> smoser: is there any movement on producing an atomic apt-mirror?
[17:06] <rbasak> Is there a bug on this? I'm thinking "apt-get and debootstrap should work flawlessly with http proxies against our mirrors"
[17:06] <smoser> but SpamapS that is the least complicated of the issues.
[17:06] <smoser> the larger issue is the multi-mirror inconsistent.
[17:07] <smoser> clearly the single mirror inconsistent is REALLY BAD.
[17:07] <patdk-wk> I personally had nothing but issues with squid and pkg caching
[17:07] <patdk-wk> switched to apt-cacher-ng to fix it
[17:07] <smoser> but that problem goes very much away after release, and SRUs taper off...
[17:07] <jacobw> hello
[17:07] <smoser> patdk-wk, well, i've seen issues in apt-cacher-ng too, under load.
[17:08] <SpamapS> smoser: indeed, its basically in need of a 2-phase commit
[17:08] <patdk-wk> smoser, ya, older apt-cacher-ng I had some issues too, haven't recently though
[17:08] <SpamapS> smoser: build new mirror copy on all mirrors.. when they're all consistent, commit them all at once
[17:08] <jacobw> wrt slapd on current lts, how can i find out what rootdn,rootpw,basedn etc the configure scripts have chosen for me?
[17:08] <SpamapS> smoser: rsync --link-dest would work
[17:08] <smoser> SpamapS, yeah. it is definitely improvable.
[17:08] <SpamapS> For the client side.. all we can do is retry.
[17:09] <smoser> but i do not know of anyone working on it.
[17:09] <smoser> but for my proxy, i think i'll just pin squid to a single mirror
[17:09] <smoser> and then use rbasak's suggestion to cache those if they're valid.
[17:09] <SpamapS> smoser: I'd be reasonably happy with an option for apt-get like --retry-on-inconsistent-mirror
[17:09] <jacobw> without searching for guessed tree structures name based on current hostname
[17:09] <smoser> as a 'apt-get update' is like 22M now.
[17:10] <lifeless> oh
[17:10] <lifeless> someone should really file a bug (if they haven't) about squid rotating between round-robin hosts too much
[17:10] <lifeless> or at least there being no knob
[17:10] <rbasak> I don't think that's a bug
[17:11] <rbasak> I think the bug is that apt+mirror system needs to not break when there's an http-compliant proxy cache in the middle
[17:11] <lifeless> there are valid reasons to want slow rotation in the client
[17:11] <lifeless> that is definitely something we(squid) should support tuning of
[17:11] <rbasak> slow rotation would just reduce the error rate.
[17:11] <rbasak> the real solution should result in a zero error rate
[17:12] <lifeless> agreed; that requires either apt handling it (by retryign with a max-age 0
[17:12] <lifeless> or a different disk format
[17:12] <lifeless> because this error is intrinsic and can happen with no caching present at all
[17:13] <rbasak> Am I right in understand that the only intrinsic problem here is if the Release and Packages files don't match, because they conceptually update atomically but we see a skew?
[17:13] <smoser> yeah. so no matter what, apt shoudl support retrying
[17:13] <smoser> as "Read Release", "Read Packages" is going to result in out of sync at some point
[17:14] <smoser> with increased likelyhood over a slower connection
[17:14] <smoser> but i think that might be getting fixed...
[17:14] <smoser> by putting the Release and the Packages in the same file ? or something to that extent in apt.
[17:14] <SpamapS> Perhaps the answer long term is that Packages* should be versioned
[17:14] <SpamapS> Release would point to the current version of Packages
[17:15] <smoser> yeah, joining them doesn't really help.
[17:18] <SpamapS> seems like this would be an easy, backward compatible fix
[17:18] <SpamapS> Release can grow some new bits that don't interfere w/ old versions of apt reading it.
[17:18] <SpamapS> The Packages file can still be updated as a link to the latest version
[17:18] <SpamapS> but new versions of apt will grab the latest versioned Packages file.
[17:18] <lifeless> rbasak: no, thats one of the intrinsic issues
[17:19] <lifeless> rbasak: there are three;
[17:19] <lifeless> a) Foo and Foo.gpg having skew
[17:19] <rbasak> thanks
[17:19]  * rbasak is filing a bug on this
[17:19] <smoser> rbasak, i'm filing squid bug
[17:19] <lifeless> b) chained signed-by-hashes having skew (Release->Packages, Packages->other)
[17:19] <rbasak> I was filing an apt bug
[17:19] <adam_g> rbasak: ping
[17:19] <adam_g> er
[17:19] <smoser> we have a open RT for canonical IS regarding "mirrors sometimes/often inconsistent"
[17:19] <adam_g> roaksoax: ping
[17:20] <smoser> rbasak, but please file a "apt should support retry" or something.
[17:20] <lifeless> c) garbage collection occuring during slow clients (a special case of b, where the referenced file is a .deb)
[17:20] <lifeless> there are bugs filed
[17:20] <lifeless> no need to file dupes
[17:20] <rbasak> what are the bugs numbers, please? I couldn't find any.
[17:20] <lifeless> bug 24234 bug 33505
[17:21] <rbasak> Fix released?
[17:21] <smoser> https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/927744
[17:21] <lifeless> I haven't checked the change that was made, so can't comment on the appropriateness
[17:22] <lifeless> the IS response to these issues is (reasonably so) to try and mitigate as much as possible
[17:22] <lifeless> the root cause is the apt disk format; a tolerable workaround can be done by apt-get itself in principle (but with limited success as some intercepting (aka transparent) proxies do not honour cache-busting requests.
[17:22] <smoser> rbasak, for my proxy, i'll just update /etc/hosts and pin squid to one mirror.
[17:23] <lifeless> I have to go, baby needs me
[17:23] <smoser> can you give me a suggested squid.conf given that ?
[17:23] <smoser> for reference, the original is at http://paste.ubuntu.com/831432/
[17:24] <Pici> 58
[17:25] <rbasak> smoser: OK, I reckon then http://paste.ubuntu.com/831618/
[17:25] <lifeless> smoser: just putting the host that apt is using in the hosts file should be enough
[17:25] <smoser> lifeless, right.
[17:25] <smoser> but then i want to have it cache, and currently it denies all of those.
[17:26] <lifeless> for the refresh pattern thing; mm, I'm not sure it will dtrt, but I can't dig into it now. syntax error on that alt config btw - RELEASE isn't defined
[17:26] <lifeless> give it a go, your test bed should show it up fairly quickly
[17:26] <rbasak> smoser: oops, remove line 47
[17:31] <smoser> rbasak, so it would seem that deny is no better than your solution for orchestra, right?
[17:31] <smoser> and we might as well have yours.
[17:31] <smoser> err.. deny is definitely worse (caches less) and does  not improve or worsen the inconsistent issue
[17:32] <rbasak> smoser: I believe so, yes. But without a /etc/hosts pin, I was still getting mirror errors, so I didn't propose a change.
[17:32] <smoser> rbasak, well, there are still 2 issues..
[17:32] <smoser> a.) host actually inconsistent (non-atomic update)
[17:32] <smoser> b.) apt general issue even in perfectly atomic archive update
[17:32] <smoser> but you were probably hitting 'a'
[17:33] <rbasak> Yes, I think so
[17:33] <smoser> which does happen, and i had a script running, and saw that number to be 1 or 2 % of my attempts
[17:33] <smoser> on precise
[17:33] <smoser> something on that order... way too high. but it largely goes away after release (when archive is less active)
[17:33] <smoser> so we should prpose the change.
[17:36] <rbasak> So in the automated testing I've been doing, since Thursday night, I've had: 923 successful installs, two unknown (timeouts), 1 kernel oops, 26 debootstrap failures, 19 other what I think are mirror failures, 3 kernel panics, and 67 of another type of what I think are mirror failures.
[17:37] <rbasak> So ignoring the other problems, I believe I have a 4% installation failure rate due to some kind of mirror skew.
[17:37] <rbasak> That's using my proposed squid.conf, though no pinning of mirror on my squid host (which I've just added)
[17:39] <smoser> rbasak, https://bugs.launchpad.net/ubuntu/+source/orchestra/+bug/927750
[17:40] <smoser> rbasak, if you pinn, you will really decrease your failure rate on apt
[17:40] <smoser> and if you pin to one of the "new mirrors" you'll further decrease
[17:40] <rbasak> smoser: I'm just restarting my statistics. I'll let you know :-)
[17:40] <smoser> (ie, older mirrors just slower hardware and rsync slower)
[17:40] <rbasak> Which is a "new mirror"?
[17:40] <smoser> i dont know. .
[17:40] <smoser> :)
[17:42] <smoser> i think actually, they may have removed those recently.
[17:42] <smoser> but from  bad memory, i might suggest not selecting
[17:42] <smoser>  31.88.189.91.in-addr.arpa domain name pointer leningradskaya.canonical.com.
[17:44] <smoser> and instead, pick one of them that is in http://paste.ubuntu.com/831636/ multiple times.
[17:44] <smoser> i picked cursa
[17:45] <Vexiant> https://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration
[17:45] <Vexiant> I need help with the DNS caching part
[17:46] <Vexiant> can anyone help me?
[17:49] <rbasak> smoser: thanks, I'll also use cursa for consistency in case we have issues later
[17:49] <rbasak> smoser: interestingly cursa is one after ports of which there is only one
[17:50] <rbasak> Actually, that's a point. I've been using ports, of course, so I shouldn't been having the hitting two different mirrors problem at all.
[17:50] <smoser> hm..
[17:50] <smoser> i dont know.
[17:50] <smoser> maybe the ports are just slower ?
[17:51] <smoser> maybe that host is slow and thus open more so to single-inconsistency issues.
[17:51] <acidflash> hi everyone
[17:52] <acidflash> ping: sendmsg: Operation not permitted <-- i am getting this message occasionally, i have googled it, but i dont have ipmasq or anything in iptables which might cause that problem
[17:52] <acidflash> it is happening when i get really high loads on my network card (ie: about 10,000 packets @ 70 Mb)
[17:52] <sectionme> acidflash: sounds like your trying to do something that requires root, eg. ping -f
[17:52] <acidflash> any ideas or suggestions?
[17:52] <acidflash> i am logged in as root sectionme
[17:53]  * sectionme srugs sholders
[17:53] <cwillu_at_work> acidflash, I'm going to go with "prove it" :p
 https://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration
[17:54] <Vexiant> * ahasenack (~andreas@200.146.81.216.dynamic.adsl.gvt.net.br) has joined #ubuntu-server
 I need help with the DNS caching part
 can anyone help me?
[17:54] <acidflash> cwillu_at_work: im not sure what you mean ?
[17:56] <cwillu_at_work> acidflash, as a general rule of troubleshooting, when somebody tells you "I'm pretty sure", you shouldn't be surprised if the opposite ends up being the case
[17:56] <cwillu_at_work> that said
[17:57] <cwillu_at_work> I'm apparently incapable of reading english today
[17:57] <cwillu_at_work> could have swore that "<acidflash> i am logged in as root sectionme" was "<acidflash> i am logged in as root sometimes"
[17:57] <acidflash> cwillu_at_work: hehe :)
[17:57] <cwillu_at_work> acidflash, can you provide the exact command line you're using, and any other relevant details? :p
[17:57] <acidflash> sure
[17:58] <acidflash> ubuntu 10.04
[17:58] <acidflash> ubuntu-server*
[17:58] <acidflash> i am using this as a caching server
[17:58] <acidflash> 10.04 -> one of the network cards is a gigabit pci-express card
[17:58] <acidflash> there is about 10K Packets @ about 70 Mb traffic
[17:59] <acidflash> iptables is just redirecting any incoming connection to port 3128
[17:59] <acidflash> nothing else running except openssh and the server software
[17:59] <cwillu_at_work> can you provide the exact command line you're using,
[17:59] <acidflash> yes
[17:59] <acidflash> ping xx.xx.xx.xx
[17:59] <acidflash> :)
[18:00]  * cwillu_at_work is unimpressed
[18:00] <acidflash> no switches or parameters
[18:00] <acidflash> will occasionally go from <1 to 1.x ms
[18:00] <acidflash> and then it will give: ping: sendmsg: Operation not permitted
[18:00] <acidflash> for a few times, then it works again
[18:01] <cwillu_at_work> are you pinging an ip or a hostname?
[18:01] <cwillu_at_work> and is it ipv4 or v6?
[18:01] <acidflash> ipv4
[18:01] <acidflash> and its an ip
[18:02] <cwillu_at_work> what do you mean precisely by "iptables is redirecting any incoming connection to port 3128"?
[18:02] <acidflash> i can show you
[18:02] <acidflash> 1 min
[18:02] <acidflash> /sbin/iptables -I PREROUTING -t nat -p tcp --dport 80 -i ${local} -j REDIRECT --to 3128
[18:02] <acidflash> /sbin/iptables -A PREROUTING -t nat -j MASQUERADE
[18:02] <cwillu_at_work> acidflash, pastebin is good
[18:02] <acidflash> sorry,
[18:02] <acidflash> your right
[18:02] <cwillu_at_work> (for one thing, it allows me to continue to see these things after they've scrolled off the top)
[18:02] <acidflash> okie yes
[18:03] <cwillu_at_work> acidflash, can you pastebin the output of iptables --list-rules?
[18:03] <acidflash> http://pastebin.com/CQ9kA6BF
[18:03] <acidflash> yes
[18:04] <acidflash> http://pastebin.com/pfWEVcPf
[18:06] <cwillu_at_work> acidflash, iptables --list is as empty?
[18:06] <acidflash> http://pastebin.com/rUquhzhi
[18:08] <roaksoax> smoser: bug #927750 IIRC, doing so created cache errors
[18:09] <cwillu_at_work> acidflash, and what address are you pinging?
[18:09] <acidflash> my gateway
[18:09] <cwillu_at_work> loopback?  address of the machine?  other machine on the same segment?
[18:09] <cwillu_at_work> k
[18:11] <smoser> roaksoax, there are caching errors, but it seemed to those present here in that discussion that they would not be worsened by this.
[18:11] <smoser> hm...
[18:14] <cwillu_at_work> acidflash, sorry, my iptables is rusty
[18:14] <zul> adam_g: just as a heads up ill be merging some of the debian keystone changes (dbconfig changes mostly) this week
[18:14] <acidflash> its ok
[18:14] <cwillu_at_work> acidflash, can you do iptables --list-rules -t nat
[18:14] <cwillu_at_work> (important -t there :p
[18:14] <cwillu_at_work> acidflash, and on a similar note, does it work before you add those rules?
[18:15] <adam_g> zul: cool
[18:15] <acidflash> it worked fine before and after, the only thing that increased was the traffic
[18:15] <acidflash> it wasnt that much before
[18:15] <acidflash> about 5-6K packes
[18:15] <acidflash> packets
[18:15] <acidflash> http://pastebin.com/F5jYwLhv
[18:15] <roaksoax> smoser: right, but caching those files kinda broke the cache various times IIRC, forcing us to clear the cache, and restart squid
[18:16] <smoser> right.
[18:16] <smoser> yeah.
[18:16] <smoser> that sucks.
[18:16] <smoser> so you just cache a broken state, which is not good.
[18:17] <roaksoax> exaclty
[18:17] <smoser> but it still should resolve itself as the etag shoudl only go forward
[18:17] <smoser> so you'd just be stuck until the mirrors were in a consistent state.
[18:17] <smoser> dpm
[18:17] <smoser> s/dpm//
[18:17] <smoser> don't you think?
[18:18] <roaksoax> smoser:  yeah, which caused some of the problems we experienced before
[18:18] <smoser> roaksoax, but only sort of.
[18:18] <rbasak> Yeah, I think it'll be fine unless the mtime appears to go backwards
[18:18] <smoser> because if you're saying "not caching anything made it better"
[18:18] <smoser> that simply can't be true
[18:18] <roaksoax> smoser: i'm not aggains commiting your fix, but rather, ifproblems show back again, then we can simply revert changes
[18:19] <smoser> hm..
[18:19] <smoser> yeah.
[18:19] <smoser> yeah.
[18:19] <smoser> there are lots of issues at play here.
[18:19] <roaksoax> indeed
[18:19] <smoser> and unfortunately it doens't look like they're all going to be fixed at once
[18:19] <smoser> (or even by 12.04 release)
[18:20] <rbasak> roaksoax: by default, squid will cache a file for some period of time before checking to see if it has been updated upstream. It sounds like this is what was biting you. So you can either set squid never to cache the file, or to check it against the mirror every time. This change will make it check against the mirror every time. I'm not sure there is a situation where the check will return that the cached file can be served even though a newer one
[18:20] <rbasak>  is available on the mirror, and if this is true then this change is safe.
[18:21] <cwillu_at_work> acidflash, double check that ipmasq isn't installed?
[18:21] <cwillu_at_work> (or rather, the binary isn't there)
[18:22] <cwillu_at_work> acidflash, can you post lspci?
[18:22] <acidflash> yes
[18:23] <acidflash> http://pastebin.com/ZT3TdVyB
[18:24] <cwillu_at_work> acidflash, http://lists.danga.com/pipermail/memcached/2006-September/002726.html seems to show the same symptoms, but there's no resolution there, or any real details beyond the "ping fails under load" thing
[18:24] <cwillu_at_work> acidflash, and which interface is the one where things stop working?
[18:24] <cwillu_at_work> the realtek or the marvell?
[18:24] <acidflash> via gigabit pci-x
[18:25] <acidflash> ahh i dont see it in the list
[18:25] <acidflash> let me find it, 1 min
[18:25] <cloudgeek> any webshoter here
[18:26] <acidflash> yeah its the realtek
[18:26] <roaksoax> rbasak: sure, I don't really mind merging the fix, what I'm saying is that if I come accross the nasty issues seen during the oneiric cycle, it will be merged back to original
[18:26] <cwillu_at_work> acidflash, what's the current value of /proc/sys/net/ipv4/ip_conntrack_max, if you have such a key?
[18:26] <acidflash> i dont, but i can show you if you want my sysctl parameters
[18:26] <rbasak> ok, fair enough
[18:26] <cwillu_at_work> acidflash, just cat /proc/sys/net/ipv4/ip_conntrack_max
[18:26] <acidflash> they are injust to the system
[18:26] <acidflash> ok
[18:27] <roaksoax> rbasak: cool then ;)
[18:27] <acidflash> no such file or directory
[18:28] <cwillu_at_work> acidflash, mind pastebinning the output of dmesg?
[18:29] <acidflash> sure
[18:29] <cwillu_at_work> (note that this may include your ip address :p)
[18:29] <acidflash> cwillu_at_work: no problem, anything specific you want to see in dmesg or do you just want me to do a straight forward dmesg?
[18:29] <cwillu_at_work> whole thing please
[18:29] <cwillu_at_work> I'm just on a fishing expedition at the moment
[18:30] <acidflash> okie
[18:31] <acidflash> just a moment pastebin is under heavy load at the momeny, pastebinit cant create a link
[18:31] <acidflash> http://pastebin.com/F55DnnS3
[18:32] <cwillu_at_work> acidflash, I think we have a winner
[18:32] <cwillu_at_work> nf_conntrack: table full, dropping packet
[18:32] <acidflash> cwillu_at_work: okie, kernel overload you think ?
[18:32] <kerframil> just as an aside, that path might not be right (in recent kernels anyway). sysctl -n net.netfilter.nf_conntrack_max should be reliable.
[18:32] <cwillu_at_work> kerframil, thanks
[18:32] <cwillu_at_work> acidflash, ^^
[18:33] <acidflash> aha, so its the kernel not the card dropping the packets?
[18:33] <cwillu_at_work> what does sysctl -n net.netfilter.nf_conntrack_max  say?
[18:34] <acidflash> 65536
[18:34] <cwillu_at_work> and net.netfilter.nf_conntrack_count?
[18:34] <acidflash> 65502
[18:34] <kerframil> ouch
[18:35] <acidflash> i think im starting to understand why
[18:35] <acidflash> thats the maximum amount of open tcp sessions ?
[18:35] <cwillu_at_work> acidflash, what sort of load is on the machine?
[18:35] <acidflash> and how much i currently hoave?
[18:35] <kerframil> acidflash: that can be handled by the connection tracking system in netfilter (not just tcp either)
[18:35] <acidflash> its a caching server serving around 5000 users
[18:35] <acidflash> caching proxy
[18:35] <cwillu_at_work> acidflash, yes, although I think it's actually "things that it's tracking", not necessarily just tcp
[18:35] <acidflash> mm
[18:37] <acidflash> okie can i increase the conntrack_max number in sysctl?
[18:37] <acidflash> or is that not recommended
[18:37] <kerframil> acidflash: yes. see also /etc/sysctl.conf.
[18:37] <acidflash> okie i thought so
[18:37] <kerframil> acidflash: acidflash: if you actually need connection tracking, just increase the limit and keep an eye on the count in future. you can also use the 'RAW' table in netfilter to except some connections from connection tracking (I do this for traffic to and from LAN subnets, not being forwarded).
[18:37] <kerframil> oops, sorry for double nick
[18:38] <acidflash> kerframil: the second option sounds like something worth reading about, can you point me somewhere ?
[18:38] <acidflash> and yes i am going to see the value in sysctl to something larger
[18:38] <kerframil> acidflash: googling will turn up some stuff, as will the man page. I can give you a direct example.
[18:38] <acidflash> okie, ill do
[18:39] <kerframil> http://dpaste.com/698479/
[18:39] <acidflash> i think i am going to set that conntrack_max to about 200,000
[18:39] <kerframil> in my case, $local_net contains "10.0.0.0/16". the important thing is never to use this trick for packets being forwarded - otherwise you can end up in hot water.
[18:40] <kerframil> that's why -s and -d are the same there
[18:40] <acidflash> aha
[18:40] <kerframil> as for conntrack_max, please use a power of 2. if you increase it to something significant (like I do), consider changing the bucket size. moment.
[18:41] <acidflash> kerframil: okie, but apparently it cant be set in the sysctl.conf
[18:41] <acidflash> couldnt be in 2007, not sure about now though, im reading
[18:42] <kerframil> acidflash: conntrack_max?
[18:42] <acidflash> yes
[18:42] <acidflash> no it seems you can
[18:42] <acidflash> i think that article is just old
[18:43] <kerframil> acidflash: http://rackerhacker.com/2008/01/24/ip_conntrack-table-full-dropping-packet/#comment-15409
[18:43] <acidflash> yah i was reading that :D
[18:43] <kerframil> acidflash: very good comment there
[18:44] <kerframil> acidflash: I have conntrack max at 2^21 (2 million) and have changed the hashsize to maintain a bucket depth of 4
[18:44] <acidflash> kerframil: thats a great article thanks alot for the help..
[18:44] <acidflash> I am going to read it and make some changes
[18:44] <acidflash> if i have any more problems, ill be back, but in the mean time thanks a lot for your help guys
[18:49] <kerframil> acidflash: also worth bearing mind is that the default period for a TCP connection being reaped within conntrack is a week
[18:50] <kerframil> acidflash: net.netfilter.nf_conntrack_tcp_timeout_established
[18:51] <acidflash> kerframil: my software normally times out after 60 seconds, do you think i should set it in sysctl as well?
[18:52] <kerframil> acidflash: I would say that's far too short. this determines after which time conntrack considers a TCP connection as dead after it has been established but where it is inactive (no traffic seen)
[18:52] <kerframil> acidflash: I use 24 hours, if you want a benchmark
[18:53] <kerframil> the being established part is obviously done through the initial SYN and the three way handshake. but, in my case, I don't want inactive connections to clog up the table for a whole week.
[18:58] <RoyK> can some smart-guy out there explain to me where the libpng.so binary file may reside? http://paste.ubuntu.com/831720/
[19:05] <pmatulis> RoyK: you want to find the file on your filesystem?
[19:05] <koolhead17> netsplit
[19:05] <JanC> RoyK: what ubuntu version?
[19:09] <JanC> if you are using 11.10, it's probably located in /lib/x86_64-linux-gnu/libpng12.so.0.46.0
[19:10] <JanC> if you are looking for the real file and not the symlinks used for compatibility
[19:13] <RoyK> JanC: lucid - it was under /lib
[19:13]  * RoyK wonders wtf such libs are placed under /lib and not /usr/lib
[19:16] <SpamapS> RoyK: because the boot splash uses it
[19:18] <RoyK> ah
[19:20] <JanC> RoyK: right, lucid didn't have multiarch yet  ☺
[19:20] <RoyK> nope, it doesn't
[19:20] <RoyK> but I don't use anything non-lts for servers...
[19:21] <JanC> 12.04 LTS will have multiarch
[19:21] <RoyK> yeah
[19:21] <JanC> which is very cool  ☺
[19:21] <RoyK> so I guess I'll move to that when 12.04.1 is released
[19:21] <RoyK> (which is, IIRC, the default upgrade path)
[19:22] <JanC> AFAIK it is
[19:22] <RoyK> perhaps upgrade the compute nodes first - some of those scientists are rather greedy on new versions...
[19:24] <JanC> RoyK: if new versions improve compute time significantly, I can understand
[19:25] <RoyK> not really, but they come with new versions of scipy/numpy
[19:25] <JanC> although in most cases improving algorithms is likely to help a lot more
[19:26] <JanC> well, I guess upgrading those on an LTS should be possible too (maybe providing them through -backports)
[19:27] <RoyK> JanC: or, as we do, compile them in a separate tree and just use whatever versions needed
[19:27] <JanC> right
[19:27] <JanC> although having them available in some repository would be nice
[19:28] <JanC> provided scientist organisations want to cooperate on that...   :P
[19:28] <RoyK> not really, better keep a baseline for most and let those in desperate need for the latest and hottest and hippest compile their own in a shared folder somewhere
[19:30] <RoyK> there's a "scientific linux", which should be rather well updated, but, being redhat-based, I don't want to touch it
[19:30] <_johnny> hi. any gdb users? i used to have a cmd which gdb would evaluate every time it breaks. like "x/s $eax" and such. i can't see *watch doing this. am i making this up, or? :)
[19:49] <hallyn> Daviey: for adding a (lxc) section to ubuntu server guide.  there is no 12.04 server guide yet.  is there a staging area for it?  Or should i start with a basic (oneiric-relevant) section in the 11.10 server guide, and just wait to add the precise bits?
[19:52] <skyler_> Hi, does anyone know how to raise the virtual memory limit?
[19:54] <SpamapS> skyler_: what do you mean by "the virtual memory limit" ?
[19:55] <skyler_> When I try to compile anything, I get: "virtual memory exhausted: Cannot allocate memory"
[19:55] <skyler_> so (as suggested by google) I ran ulimit -v 20000
[19:55] <skyler_> and now I can't even run ls
[19:56] <skyler_> and I can't raise the limit back to what it was
[19:56] <Vexiant> I need help
[19:56] <Vexiant> https://help.ubuntu.com/10.04/serverguide/C/dns-configuration.html#dns-caching-configuration
[19:56] <Vexiant> "The default configuration is setup to act as a caching server. All that is required is simply adding the IP Addresses of your ISP's DNS servers. Simply uncomment and edit the following in /etc/bind/named.conf.options:"
[19:56] <Vexiant> can someone help me?
[19:57] <Daviey> hallyn: can i answer that tomorrow?  I need to check in the docs team (and other matters.)
[19:57] <adam_g> roaksoax: pign
[19:59] <hallyn> stgraber: now, emitting the net-device-up for lo in lxcguest for oneiric+precise won't hurt anything right?  ( seems not worth checking the container release before emitting)
[19:59] <hallyn> (re bug 924337)
[20:00] <stgraber> hallyn: should be safe indeed
[20:00] <hallyn> thx
[20:01] <roaksoax> adam_g: pong
[20:02] <Vexiant> I see that everyone else can get help other than me
[20:02] <hallyn> hm, i suppose lp:~serge-hallyn/+junk/lxc-test could be turned into a lxctest package residing in lxc source pkg....
[20:03] <hallyn> (not today)
[20:03] <adam_g> roaksoax: is there any way to limit the number of concurrent requests cobbler makes to power management?
[20:04] <adam_g> roaksoax: for whatever reason, that CDU in the CI lab is slowing down and requests sometimes get lost if the CDU is busy handling 5 other calls
[20:04] <roaksoax> adam_g: i don't think there's a way to do that in cobbler
[20:05] <roaksoax> adam_g: maybe, the CDU's configuration provides a way to control concurrent requests for that matter
[20:05] <hallyn> jodh: /etc/init/lxcmount.conf currently emits 'mounted MOUNTPOINT=/run'.  (will stop soon).  but it doesn't have an 'emits mounted' at top.  What will go wrong?
[20:06] <adam_g> roaksoax: couldn't find anything. might create some little daemon to queue and dispatch requests accordingly, cobbler can just call that instead
[20:07] <roaksoax> adam_g: maybe that would be a good improvement within cobbler
[20:07] <roaksoax> s/within/for
[20:08] <adam_g> roaksoax: or the fence agents libraries
[20:09] <JanC> hallyn: "emits ..." is only documentation, so nothing should go wrong?
[20:09] <JanC> (or did I miss something)
[20:13] <roaksoax> adam_g: or that too, but maybe, could it be a bug within the cdu agent itself? maybe it its not correctly closing the connections to the cdu
[20:14]  * roaksoax brb
[20:15] <adam_g> roaksoax: thats all handled by the fencing.py library (which is a bit of a mess, IMHO)
[20:19] <hallyn> JanC: thanks, that's what i was wondering.
[20:19] <hallyn> esp whether some automated tools might miss out on possible event paths...
[20:27] <JanC> hallyn: there might be automated tools depending on this documentation of course, but not in default Ubuntu AFAIK
[20:28] <JanC> I mean, everybody can write a script depending on that without knowing it's not mandatory
[20:29] <roaksoax> adam_g: most likely lol!
[20:30] <hallyn> naturally :)
[20:33] <hallyn> stgraber: do you see any issue with http://people.canonical.com/~serge/lxc_0.7.5-3ubuntu18.dsc?  (It seemed best to add the emit to a new 'start' section rather than the pre-start script...)
[20:33] <hallyn> oops
[20:33] <hallyn> meant http://people.canonical.com/~serge/lxc.debdiff
[20:35] <stgraber> hallyn: hmm, this looks wrong, different code path as what we have starting with oneiric/precise
[20:36] <stgraber> hallyn: you should either do "ifup --allow auto lo" or emit net-device-added
[20:37] <stgraber> hallyn: emitting net-device-up bypasses ifupdown and all the scripts in /etc/network/* which doesn't seem right
[20:38] <stgraber> hallyn: "initctl emit net-device-added INTERFACE=lo" should give you the same thing as you'd get from udev on a regular system
[20:40] <hallyn> hm, ok, yeah.  i think that's what i originally did during natty cycle.  thanks.
[20:41] <hallyn> stgraber: you think i should do -n there?
[20:41] <hallyn> probably not.
[20:47] <stgraber> hallyn: I'd recommend the -n otherwise you'll end up stuck there until the whole list of dependencies has been processed and all these jobs are started
[20:47] <stgraber> which in this case, should only be network-interface.conf but well, probably still a good idea
[20:49] <hallyn> notes that lxcmount.conf doesn't do -n.  i suppose i shoudl add it?
[23:18] <kirkland> jcastro: ping
[23:18] <mgw> pong
[23:18] <mgw> oh sorry, didn't see jcastro part
[23:18] <mgw> :-)
[23:28] <StrangeCharm> I backed up my secring, exported my primary key (& its subkeys) to a file, then made changes to the subkeys. I deleted some of my encryption subkeys, but not to worry, because I have backups! However, I seem get GPG to re-import the sub-keys. When import the key file, it's all like "Oh, I already have that master key, so I don't need to worry about its subkeys." I want those subkeys back in my main key, how do I fix it?
[23:35] <hallyn> stgraber: any complaints from you if I switch lxc over to upstart?
[23:36] <hallyn> We might end up missing new features in Debian as a result...
[23:48] <hallyn> man apt-cacher-ng is really messed up
[23:49] <stgraber> hallyn: no complaint, just make sure the start condition works for most use cases (at least wait for local-filesystems, possibly for more)
[23:50] <hallyn> stgraber: i'd probably do "start on (runlevel [2345] and stopped networking RESULT=ok)" like libvirt does
[23:50] <hallyn> which, actually, i thought i changed that in libvirt
[23:51] <chelz> does anyone or has anyone heard of various runlevels actually being used?
[23:51] <hallyn> thought that had been set to 'static-network-up'
[23:53] <stgraber> hallyn: RESULT=ok for networking is risky
[23:53] <stgraber> hallyn: networking is meant as a fallback for interfaces that can't be brought up by events, so someone making a typo in some of these interfaces would prevent your job from starting ...