/srv/irclogs.ubuntu.com/2012/03/06/#ubuntu-server.txt

uvirtbot`	New bug: #947617 in lxc (universe) "After update, lxc does not start" [Undecided,Confirmed] https://launchpad.net/bugs/947617	00:20
=== sixstringsg\|away is now known as sixstringsg
kieppie	hi guys. are there any details available re virt for the upcoming 12.04 release? I'm thinking of re-installing my new host once it's released, and I'd like to know what to expect. I saw "openstack" as an option when I installed a desktop beta	00:35
SpamapS	kieppie: openstack isn't really "virt" as much as "api + management + scaleout of virt"	00:39
SpamapS	kieppie: for just a single box.. libvirt is still good	00:39
kieppie	thanks for that, SpamapS: I'm still running LTS 10.04.x on my production box, so I'd like to upgrade to the new stack with the next release.	00:41
kieppie	using KVM + libvirt	00:42
kieppie	if oVirt (I think?) is production-reasdy & in the repo or a stable PPA by then, that would be nice	00:42
SpamapS	kieppie: yeah not much has changed there.	00:42
kieppie	thinkning about building a HA/faIL-OVER CLUSTER WITH REDUNDENT RESOURCES	00:43
SpamapS	kieppie: ovirt is not included AFAIK	00:43
kieppie	sry (caps)	00:43
kieppie	what's the other one....?	00:43
SpamapS	no clue.	00:43
kieppie	convirt/convirture 2 - that's the one...	00:44
kieppie	also, would be nice to get the desktop-virt going, with SPICE	00:44
kieppie	but I can't find much of the way of news or what to expect on the server-side/virt-side re the next release - much of the focus has been on the desktop/UI advances	00:45
SpamapS	kieppie: spice has had some work done	00:47
kieppie	yea - I figured.... really looking forward to that....	00:47
SpamapS	kieppie: the release notes tend to solidify very late in the cycle	00:47
SpamapS	kieppie: The biggest change is definitely OpenStack vs. Eucalyptus as the cloud service in main	00:49
kieppie	SpamapS: is there anything I could look at now that could give me some insight or get me exited?	00:49
kieppie	please?	00:49
SpamapS	kieppie: I wrote this blog post a bit ago that talked about the stuff done over the last 2 years, but it is not really virt focused: http://fewbar.com/2012/03/precise-is-coming/	00:50
kieppie	cheers	00:50
kieppie	hehehe - pic looks familiar. ran across this page not that long ago :)	00:52
kieppie	what is Juju? I've encountered it, but not really paid much attention.	00:58
kieppie	is JuJu to services/SaaS what chef/puppet is to PXE hosts?	00:58
SpamapS	kieppie: Its not a perfect map. I say juju is to chef/puppet as apt-get/dpkg are to './configure && make && sudo make install'	00:59
SpamapS	kieppie: the idea is that you just want a service, not necessarily a server.	00:59
kieppie	interresting.....	01:00
kieppie	extremely abstract, though. quite a departure from what I'm used to	01:00
SpamapS	kieppie: its quite concrete when you think about how you actually want to deploy stuff though.	01:03
SpamapS	kieppie: instead of trying to figure out how to deploy stuff AND THEN integrate with it.. you just deploy it, then figure out how to integrate with it.	01:04
kieppie	if I understand it (probably very poorly), this could be a great way of fluidly managing services across clusters, local or remote. not unline AC2 instances, etc with OpenStack, Orchestra, Bitnami, TurnkeyLinux, etc	01:06
kieppie	(talking VERY broad strokes here)	01:06
j2daosh	anyone know how to make the hostname of a system report to a router?	01:08
SpamapS	j2daosh: report?	01:09
SpamapS	j2daosh: like, with dhcp?	01:09
EvilResistance	j2daosh: report in what manner?	01:09
j2daosh	all the windows systems in the house, an apple, and a redhat server report their hostnames to my router, but my ubuntu/debian boxes wont	01:09
=== sixstringsg is now known as sixstringsg\|away
SpamapS	kieppie: yeah, bitnami and turnkey are similar ideas, though they still focus too much on the server.	01:09
j2daosh	basically i want the hostname to show up on my router statistics page and be able to 'ssh $host' from any system on the network. I don't have any system running as a DNS server so I am not sure how all the windows/redhat/apple systems are able to resolve to a IP from a hostname	01:16
SpamapS	j2daosh: for the ssh $host .. avahi might get that done.. I use 'ssh $host.local' on my work without help from the router	01:19
SpamapS	j2daosh: for the other bit, ubuntu should be sending the hostname in dhcp requests already	01:19
j2daosh	hmmm	01:20
j2daosh	I set static networking though	01:20
j2daosh	did i miss an option for it somewhere?	01:21
SpamapS	possibly	01:21
j2daosh	hmm, i'll go back thru settings and look. thanks for the tip	01:21
Zac_o_O	Hi all! I have disks that are set to spindown in hdparm.conf, not being woken up by smartd (desired), and noatime set. The disks spin up after only a few minutes of sleeping. How do I figure out what's waking them up?	01:58
nguyenthientam1	Hi, I want to intall https on apache , help me	02:01
=== sixstringsg\|away is now known as sixstringsg
Zac_o_O	anyone?	02:16
TeTeT	Zac_o_O: maybe try a fuser on the filesystem?	02:46
Zac_o_O	TeTeT: a fuser?	02:47
TeTeT	Zac_o_O: a command for checking which process accesses a file, try fuser /	02:48
Zac_o_O	TeTeT: nice! I'll try that	02:48
Zac_o_O	TeTeT: So I'll do fuser on the mount point/director where this disk is mounted?	02:49
=== fenris is now known as Guest65492
=== sixstringsg is now known as sixstringsg\|away
=== Gallomimia_ is now known as Gallomimia
ghost13	question: is there a script that can display the contents of tailf /var/log/auth.log \| grep Failed to a webpage so i can see it live as my ssh is attacked?	03:44
twb	ghost13: yes, fail -f /var/log/auth.log \| grep Failed >> ~/public_html/index.txt	03:45
twb	s/fail/tail/	03:45
twb	But you would do better to 1) fix your ssh so it can't be attacked in the first place; and 2) use logcheck to have it deliver hourly reports via email instead.	03:46
ghost13	i have denyhost installed so after 10 failed attempts there locked out.	03:46
ghost13	is logcheck installed by default?	03:47
twb	http://cyber.com.au/~twb/doc/iptab.ips	03:47
twb	logcheck is not installed by default.	03:47
ghost13	ok thanks..easy config in terminal?	03:47
twb	You may have heard of logwatch; that does broadly the same thing but is IMO worse, because it must be told specifically to watch for things, whereas logcheck will report anything is has not been told is safe to ignore.	03:47
ghost13	ahh.. just what i was looking for but gave up on that. ill look into it. thanks again	03:48
twb	ghost13: it basically does an egrep -v over your logfiles, so yes, simple to configure.	03:48
twb	You will need to ensure that the system can actually deliver mail to you, of course.	03:48
twb	Also syslog-summary is useful for compressing logs that are very repetetive	03:49
ghost13	it does send to my gmail but..it is from michael@local ?? not my host name and i am running noip	03:49
twb	I have all my systems log to a central logserv, and only it runs logcheck.	03:49
twb	ghost13: then you need to fix your MTA	03:49
twb	ghost13: probably by setting /etc/mailname correctly and restarting postfix, but it all depends. /topic mentions the 10.04 admin guide which explains how to set up postfix.	03:50
ghost13	will fix my mta and just to make me feel envy..how many systems (servers) you running?	03:50
twb	http://paste.debian.net/158719/ and http://paste.debian.net/158720/	03:51
twb		03:51
twb	...show example output from logcheck w/syslog-summary and appropriate additional site-specific whitelisting.	03:51
twb	The hugin "security" issue is one that has been raised in priority so it stands out, because it is collectd indicating a disk is nearly full	03:51
ghost13	do you run a single server for each task? ssh, httpd, etc?	03:53
twb	ghost13: about one full rack of physical servers, plus about 25 virtual ones, a couple of APs running OpenWRT, a couple of LJ4s, and a hot desk workstation.	03:53
twb	ghost13: I run one container per service, more or less.	03:53
ghost13	fun fun, running 3 services on one laptop hooked into dd-wrt. running ok but hadnt seen much pressure yet :)	03:54
ghost13	is running virtual servers more or less like vhost on apache? or is it for running apps?	03:55
twb	It is more different than similar	03:56
twb	https://en.wikipedia.org/wiki/LXC are "containers", they are very similar to BSD jails or Solaris zones.	03:56
ghost13	never quite got into that yet.	03:57
adam_g	zul: https://code.launchpad.net/~gandelman-a/nova/patch_fixups/+merge/96050 here is that merge that fixes the patches again. this and future proposals should just merge clean into the ubuntu-server-dev branches	03:57
twb	If you are used to KVM VMs, you can think of containers as very low-overhead VMs that are less secure.	03:57
ghost13	ahh ok.	03:57
twb	Sometime when speaking in general I (and others) may refer to containers as another kind of VM, even though this is not strictly accurate	03:58
EvilResistance	how can you set a repository's priority for every package except certain packages?	03:59
twb	EvilResistance: set the repo prio, then set the package prio	04:04
twb	This in in apt_preferences(5) or so IIRC	04:04
EvilResistance	twb, thanks	04:17
=== jtv1 is now known as jtv
linocisco	I have one ubuntu server with two NIc cards with different subnets, one card is connected to LAN. one card is connected to Internet. I want to setup route between two cards on server.	05:17
linocisco	what do I do?	05:18
linocisco	I have one ubuntu server with two NIc cards with different subnets, one card is connected to LAN. one card is connected to Internet. I want to setup route between two cards on server.	05:25
linocisco	I have one ubuntu server with two NIc cards with different subnets, one card is connected to LAN. one card is connected to Internet. I want to setup route between two cards on server so that client from LAN can lookup DNS from that ubuntu server.	05:26
twb	!repeat	05:30
ubottu	Don't feel ignored and repeat your question quickly; if nobody knows your answer, nobody will answer you. While you wait, try searching https://help.ubuntu.com or http://ubuntuforums.org or http://askubuntu.com/	05:30
uvirtbot`	New bug: #947744 in apache2 (main) "$ anchor doesn't work in Directory ~ regexp" [Undecided,New] https://launchpad.net/bugs/947744	05:36
TeTeT	linocisco: the server just need to have ip forwarding between the cards enabled, it doesn't need a route, as it can access both networks. the clients however need to have the servers lan address as gateway. when the server also provides DNS, it needs to be supplied in the nameserver config, /etc/resolvonf. Usually DNS server are set via DHCP dynamically	05:55
lucascastro	linocisco: take a look at ubuntu server guide, firewall	06:00
linocisco	TeTeT	06:26
linocisco	TeTeT, hi thanks for your explanation. I m looking for ip forwarding. acutally my server external card is connected to Host which has got internet from physical gatway. my server is on VM	06:27
linocisco	TeTeT, also my client is on VM	06:27
TeTeT	linocisco: you can check on the server with cat /proc/sys/net/ipv4/ip_forward if forwarding is enabled at all, should be 1	06:29
TeTeT	linocisco: on the VM, depending on the tech used, there might be firewall rules on the host that may make it harder	06:29
linocisco	TeTeT, What I am confusing is that i installed bind9 on that server. so I put that serveritself's IP in resolv.conf so that client can point. but server also has original DNS server got via DHCP entries. what do I do?	06:37
TeTeT	linocisco: the server does not strictly use itself as DNS server, but it may, as it speeds up due to caching. You don't need the DHCP servers if bind is configured correctly	06:44
TeTeT	linocisco: make that: does not need to strictly use itself ...	06:44
linocisco	TeTeT, I have vbox installed on my WindowXP host, which got internet from office router, ubuntu server got internet access from host via NAT. though I installed bind9. mine is still getting DNS from host	06:51
TeTeT	linocisco: well, NAT is quite evil when you want to set up routing, as the route has to go through your host. I don't think I can support you with this. I recommend changing the network structure of the guests to bridged, if possible	06:53
linocisco	TeTeT, all guest OS( ubuntu server and windows client)'s networking mode into bridge?	06:54
TeTeT	linocisco: that's what I did on my ubuntu desktop system with lots of vms on it, makes networking easier, IMO	06:55
linocisco	TeTeT, okok bro. so I have two cards on ubuntu server. should I also make both cards to bridge mode?	06:56
TeTeT	linocisco: really depends on what you want to achieve, two virtual cards bridged to the same LAN don't look to useful to me	06:57
bluefrog	linocisco, you should ask yout IT admin to help you	06:57
linocisco	bluefrog, I am the IT guy	06:57
bluefrog	linocisco, then you should start reading (no offense) seriously	06:58
bluefrog	linocisco, basically all stuff I read is kind of basic IT knowledge	06:58
bluefrog	linocisco, so depending on what you want to achieve, you should take care security wise. don't expose your intranet to internet and so on...	07:00
linocisco	hi	07:30
=== jtv1 is now known as jtv
=== smb` is now known as smb
gvandeweyer	has anybody tested the ubuntu server lts 10.04.4 on a dell optiplex 990? in the previous version, the nic was not recognised, forcing to upgrade to a non-lts version	08:17
twb	gvandeweyer: run lspci -nn	08:22
twb	gvandeweyer: pastebin the result into kmuto.jp; it will tell you what is supported by what kernel	08:22
twb	If you mean "previous versions of 10.04", they all have the same kernel, so support will be unchanged	08:22
twb	http://kmuto.jp/debian/hcl/ that is	08:23
gvandeweyer	twb: I read that there was backported hardware support in 10.04.4, that's why i asked.	08:30
gvandeweyer	thanks for the lspci hint	08:30
twb	Oh, yeah, possibly if you enable backports and pull in a newer kernel	08:31
twb	I tend to avoid backports	08:31
twb	Anyway 12.04 is coming out in a month, so you might as well aim for that	08:31
gvandeweyer	'pull in a new kernel' is an issue if you don't have ethernet support :-)	08:32
gvandeweyer	indeed, I just might wait for 12.04.	08:32
twb	gvandeweyer: uh, so put in a temporary second nic	08:32
twb	Or use apt-walkabout, or ethernet over firewire, or whatever.	08:33
twb	Use some INITIATIVE man	08:33
gvandeweyer	:-)	08:34
uvirtbot`	New bug: #947804 in lxc (universe) "Unable to start lxc instances" [Undecided,New] https://launchpad.net/bugs/947804	09:03
lynxman	morning o/	09:25
linocisco	hi all	10:06
linocisco	I found ip_foward is always 0 however I edited or changed via nano. into 1	10:07
linocisco	what do I do?	10:07
rbasak	linocisco: it probably won't work if you use an editor, since it's not a normal file and the editor will try and rename a new file over the top.	10:11
linocisco	so what do I do?	10:11
rbasak	linocisco: use "echo 1 > ip_forward" instead of "nano ip_forward" (and fix the path if you're in a different directory)	10:11
linocisco	I tried "echo 1 > /proc/sys/net/ipv4/ip_forward"	10:12
rbasak	linocisco: this will only change it until next reboot. To keep it persistent across reboots, edit the file /etc/sysctl.conf (you can use nano for that)	10:12
rbasak	linocisco: that should work if you're root. If you're trying to use sudo, it won't work directly, since the redirection is done as the user. I use "sudo -i" to get a root prompt first.	10:12
linocisco	rbasak, but my client could not ping to external card's gateway	10:13
rbasak	linocisco: does "cat /proc/sys/net/ipv4/ip_forward" now say 1?	10:13
linocisco	rbasak, yes. it is now 1	10:14
rbasak	OK, so then you have some other problem. Perhaps routing or firewall.	10:14
linocisco	rbasak, i can ping to external card's IP of ubuntu server from my XP client	10:15
rbasak	Are you sure you don't need NAT?	10:16
linocisco	rbasak, i need nat	10:20
linocisco	echo 1 > /proc/sys/net/ipv4/ip_forward is not ok?	10:20
rbasak	linocisco: no, that will only enable forwarding without nat	10:21
rbasak	You need to add nat rules as well	10:21
_ruben	assuming you want that to be permanent (persistent across reboots), you should edit /etc/sysctl.conf instead (or probably even better, add a file to /etc/sysctl.d/)	10:21
rbasak	http://www.netfilter.org/documentation/index.html#documentation-howto - there's a nat howto	10:21
linocisco	ya	10:21
Daviey	jamespage: Hey, are you touching ci this week?	10:27
linocisco	rbasak, I think I just need only one line like that" iptables -t nat -A POSTROUTING -o [external NIC card] -j MASQUERADE	10:30
linocisco	" , right?	10:30
linocisco	rbasak, how to check existing iptables command?	10:38
linocisco	rbasak, how to check existing iptables commands?	10:38
linocisco	rbasak, how to check existing iptables commands which has been entered?	10:38
diplo	linocisco, iptables -L	10:53
linocisco	diplo, and then?	10:53
diplo	That will list iptables rules	10:53
diplo	Good read here for basics : https://help.ubuntu.com/community/IptablesHowTo	10:54
linocisco	diplo,	11:02
linocisco	I found Chain input/chain forward and change output with heading	11:02
jamespage	Daviey: yep	11:13
linocisco	entering "/sbin/iptables -P FORWARD ACCEPT	11:15
linocisco	" in rc.local is correct?	11:15
jamespage	jodh, whats the best way to programatically determine the status of a service? grep the output of service XX status?	11:26
jamespage	Daviey, I see lots of discussion last night - what needs doing?	11:27
jodh	jamespage: you can do that, or maybe use the D-Bus interface if that's more appropriate for your needs? If you care about being notified of state changes, use D-Bus.	11:30
jamespage	jodh, hmm - now that is an interesting idea	11:30
linocisco	hi	11:34
linocisco	i can now ping to gateway of external card	11:35
linocisco	but proxy is not ok yet though I have edited in squid	11:35
linocisco	hi	11:40
linocisco	I followed that https://help.ubuntu.com/11.04/serverguide/C/squid.html. but client don't get interenet through squid yet	11:51
linocisco	my squid doesnot work yet	12:00
aibo	hi after boot I'm getting clean /etc/resolv.conf, I need to store nameserver permanently, how can I do it?	12:29
aibo	oh, solved	12:32
soren	zul: Why did the adduser call in keystone get moved to preinst?	12:39
zul	soren: i was trying to break up the posinst before it got too big	12:40
soren	zul: By moving half of it into the preinst?!?	12:42
zul	soren: yep	12:43
soren	zul: You do understand they serve different purposes, right?	12:43
zul	soren: right	12:43
soren	zul: So you can't just move stuff back and forth willy nilly.	12:43
zul	right	12:50
zul	it will be fixed in the next upload	12:50
zul	i dont know how yet but it will	12:50
soren	zul: Don't... know... how? Just move it back?	13:01
zul	soren: probably	13:01
soren	zul: You said you moved it because the postinst was getting too big.	13:01
zul	soren: im going to play with it this week	13:01
zul	anyways i have to drop liam off at the bus bbl	13:02
soren	Have fun.	13:02
zul	and freeze my arse off at the same time :)	13:02
* koolhead11 burps		13:08
Daviey	soren: Hmm, if it's just adduser handling, what issues do you expect to see, between doing it in the postinst or preinst?	13:17
eutheria	i would like to backup my lucid server to a remote host, I tried duplicity because of its encryption, however it seems to be fairly buggy, can anyone suggest an alternative?	13:21
pmatulis	eutheria: rsync	13:28
eutheria	pmatulis, with encryption?	13:30
eutheria	if duplicity was more reliable it would be fantastic, for backing up to a remote host securely	13:31
soren	Daviey: First of all, it was done without adding a Pre-Depends on adduser.	13:31
soren	Daviey: But that aside, adding users typically happens in postinst. It was moved into preinst. There could be reasons why this is needed. I just don't seem them.	13:32
soren	Daviey: "Make postinst shorter".. not a good reason.	13:33
Daviey	soren: To be fair, on Ubuntu, this is just a lintian warning. I've read your views on trivial lintian warnings :)	13:33
soren	Daviey: What is just a lintian warning? The lack of Pre-Depends?	13:34
Daviey	soren: yes	13:34
pmatulis	eutheria: yes, rsync can use ssh encryption	13:35
zul	good morning	13:36
eutheria	pmatulis, not the network layer, the file system of the remote machine is where i need the encryption	13:36
soren	Daviey: How is it deemed just a warning when it'll make the install fail?	13:36
Daviey	soren: How many Ubuntu boxes do you know that don't have adduser installed?	13:37
Daviey	Whilst it isn't Priority: required, it is in base, right?	13:37
Daviey	s/base/minimal/	13:38
soren	Daviey: It is priority: required.	13:39
soren	Daviey: And there is a Depends: on it. But there's no PRe-depends. But this is not the point.	13:39
Daviey	is it?	13:39
soren	The point is that postinst and preinst aren't the same thing.	13:39
Daviey	$ dpkg -I adduser_3.113ubuntu2_all.deb \| grep Priority Priority: important	13:39
Daviey	line break fail, but ygti	13:40
soren	So if you move stuff between them, I sure hope, there's a better explanatino that "the other one was getting too big".	13:40
soren	Daviey: That may be what the package claims.	13:40
soren	Daviey: The archive says otehrwise.	13:40
soren	otherwise, even. apt-cache show adduser \| grep Priority:	13:41
soren	Priority: required	13:41
Daviey	soren: true dat	13:42
rbasak	eutheria: use LUKS or ecryptfs on the remote end?	13:42
Daviey	soren: so either way, do you agree that it is little more than a lintian warning?	13:42
rbasak	eutheria: or if you want to use an external provider, take a look at tarsnap	13:43
eutheria	rbasak, i have no control over the backend	13:43
rbasak	eutheria: duplicity is the only answer I know of then.	13:44
eutheria	duplicity seems great but buggy	13:44
soren	Daviey: I don't get wound up about what Lintian says. It's an unexplained change that I wondered about. The answer left me wondering even harder.	13:45
Daviey	soren: ok, fair comment.	13:45
koolhead11	nijaba: around	13:47
jamespage	Daviey: you pinged me earlier about CI?	14:36
Daviey	jamespage: ah yes.. Wanted to know what ws in the works for this week?	14:37
jamespage	Daviey: refactoring to make the tarball creation/build process more re-usable	14:38
jamespage	figuring out the best way to manage all of the jenkins jobs...	14:38
jamespage	generally consolidating everything that had been done to-date	14:38
Daviey	jamespage:Have you ben tracking tempest integration ?	14:38
Daviey	and juju as a client test?	14:39
jamespage	Daviey: tempest integration - no adam_g is point on that	14:40
jamespage	juju as a client test == new requirement so I'm guessing no work has been done on that	14:41
jamespage	we are still running devstack in the lab	14:41
uvirtbot`	New bug: #932800 in glance (main) "New glance dependency: ca-certificates" [Medium,Fix released] https://launchpad.net/bugs/932800	14:42
Daviey	jamespage: sorry, what is devstack doing?	14:42
Daviey	the exercise.sh?	14:42
jamespage	yep	14:42
koolhead11	BTW before i could think of it uksysadmin has already made this simple script for keystone https://github.com/uksysadmin/OpenStackInstaller/blob/essex/keystone-services.sh	14:49
koolhead11	am testing it from ubuntu keystone package	14:50
lynxman	jamespage: do you have 5 mins for a packaging doubt I have? If so dm me pls	14:54
jamespage	lynxman, sure	14:55
lynxman	jamespage: thanks :)	14:56
koolhead11	thanks to zul Daviey i can sleep in peace tonight!! :)	15:18
stgraber	jjohansen: any news on a fixed apparmor? we started getting bug reports of broken lxc...	15:35
mali	hey.. I notice slappasswd does not handle passwords wello. it would seem it is most likely the same iossue which seems to have been patched in january by debian aka, passwd field is not encloised by brackets. So what is the best way for me to patch my server... wait for you or sort it out myself?	15:40
uvirtbot`	New bug: #948115 in mcollective (universe) "Detect if system is running upstart seems wrong" [Undecided,New] https://launchpad.net/bugs/948115	15:51
jjohansen	stgraber: sorry fixed the bug I was expecting and turned up more, I am running through some testing on the latest set of patches now	15:51
stgraber	jjohansen: ok	15:52
=== smw_ is now known as smw
uvirtbot`	New bug: #948156 in php5 (main) "Include PHP 5.4 to Ubuntu 12.04 release" [Undecided,New] https://launchpad.net/bugs/948156	16:31
uvirtbot`	New bug: #948157 in ntp (main) "package ntp 1:4.2.4p8+dfsg-1ubuntu2.1 failed to install/upgrade: sub-processo script post-installation instalado retornou estado de saída de erro 1" [Undecided,New] https://launchpad.net/bugs/948157	16:31
therve	hi there	16:35
therve	my nice rabbitmq fix got bumped with the latest upgrade, anything I can do about it?	16:35
therve	#913464 fwiw	16:37
jamespage	lynxman, ^^ know you are working on rabbitmq to tidy up stuff - can you re-instate the fix for bug 913464	16:37
uvirtbot`	Launchpad bug 913464 in rabbitmq-server "rabbit creates new PAM session" [Medium,Fix released] https://launchpad.net/bugs/913464	16:37
therve	jamespage, thanks :)	16:38
lynxman	jamespage: yessir	16:38
jamespage	lynxman, ta	16:38
jamespage	therve, np	16:38
lynxman	jamespage: actually I already had it in mind, it was in the diff (looking at it)	16:39
jamespage	sweet	16:39
mali	hi, which channel is a normal linux support chan_	16:40
mali	ubuntu+1_	16:41
zul	adam_g: can you review the glance ubuntu/debian merge proposal please	16:41
adam_g	zul: yeah, just added a comment about a typo in patch	16:44
adam_g	zul: will look closer in a bit and build some test packages	16:44
zul	adam_g: typo in which patch?	16:44
adam_g	zul: the one that sets the default pipeline/paste flavor	16:45
zul	adam_g: ah ok	16:45
adam_g	zul: also, https://code.launchpad.net/~gandelman-a/nova/patch_fixups/+merge/96050 this syncs patches back to a known working state	16:46
zul	kk	16:46
mali	hey guys	17:05
=== koolhead17\|away is now known as koolhead17
mali	finally	17:05
mali	I noticed that in slapd when configuring for the ldap admin password, "advanced passwords" often faiil, due to the slappasswd script doesn't enclose the variable in "" . What is the best thing for me to do to patch this?	17:06
mali	patch it locally then lock down my version?	17:06
mali	kinda sounds like security updates can easily break.. or do I give ya the patch and ask why , since this was fixed in january in debian and upstream around then.. it still isn't in ubu? :_p	17:07
rbasak	mali: this fix isn't in the current development version?	17:10
rbasak	mali: and do you know in which version it was fixed in Debian?	17:12
mali	I just came back to ubutnu server ONLY for server reasons and not ever desktop reasons again so I woudln't lknow. I can only say looking at this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635931 and the patch http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=slappasswd.patch;att=1;bug=635931 upstream and debiaN fixed this already in jan	17:12
uvirtbot`	Debian bug 635931 in slapd "slapd fails to install due to configuration error" [Normal,Fixed]	17:12
rbasak	OK so this was fixed in Debian in 2.4.28-1	17:13
mali	I can confirm that on the oneiric server I installed today and running the sscript iot fails with my 35ish character long password and does seem however to work if I do ot manually (slappasswd) and enclose with " although I think that becomes part of the password. dpkg-reconfgure does seem to wkr after I reran it manually	17:14
rbasak	Ubuntu precise is on 2.4.28-1.1ubuntu3 so it probably has the fix.	17:14
mali	(I am checking now.. I haven't been on ubuntu , you see, since	17:14
rbasak	Oneiric is on 2.4.25-1.1ubuntu4.1	17:14
mali	ah ok, so precise server is out or in beta?	17:14
rbasak	Beta	17:14
mali	ya ok. I see.	17:14
mali	thank you rbasak . Does this mean then I have to patch a lot of stuff myself for about 3-6 months on a production server, in general?	17:15
rbasak	The bug was fixed in Debian only in January, and Oneiric was released in October. Hence it won't be expected to have the fix unless there's an SRU.	17:15
mali	ok. I know it is not a threat as such, except, it doesn't allow for rather ore secure passowords, which for me... being the root password for ldap, is rather half important.	17:16
mali	so I am just trying to get my head around how it the ubuntu server team works. Sorry if I seem outdated on this as I am.	17:16
mali	but given Canonical and Debian as such is more voluntary or so... how come it goes slower on ubuntu ? (please bear my ignorance as I left Ubuntu Studio at the time due to this unity thing they had) no sure if it still will be in ubuntu but I am only here for the ubuntu server.	17:18
rbasak	mali: if you want, you can request an SRU: https://wiki.ubuntu.com/StableReleaseUpdates	17:18
rbasak	mali: brb	17:18
mali	no , it's ok rbasak : sorry , it is just me who kinda not used to seeing if server / desktop follow similar methods of update.. and also getting used to ubuntu server options as I am starting some businesses but will be setting up most of the infrastructure on th eproduction systems myself along with an admin and two i will enlist. For now I am doing testing to see which system to go for.	17:20
mali	I suspect BSD should be the winner but since I was always a linux bloke, I am sticking to it. I am on arhc linux now which is so amazing but I just can't think quite rolling release might be dodgy on server systems in a small business.	17:21
mali	A huge business with many redundant servers and a large team for testing , for sure it is the best but ye. I do hmmm, worry a bit if certain updates might be slow. Although this is not a security issue more than indirectly (simple passwords do not fail but which production server would use simple passwords)	17:22
=== mali is now known as mali`aweeh
kraut	i just went into some creepy situation with ecryptfs on nfs... http://pastebin.com/j0JbCwYn	17:24
kraut	is that interesting for you?	17:24
rbasak	mali: Ubuntu is based on Debian. So updates in Debian filter through to Ubuntu usually upon the following Ubuntu release.	17:25
mali`aweeh	ya, that is an upstream bug though I think. kernel code is erronous.	17:25
kraut	mali`aweeh: did you mean me?	17:26
mali`aweeh	ya	17:26
kraut	mali`aweeh: ah, thanks for the tip. do you got any bug id?	17:26
kraut	or anything else where i can look?	17:26
mali`aweeh	ya I know rbasak but with all the users ubuntu took on from debian and given it is a company which also offers server professional support, one would think it wasn't like just hacking debians stuff again :p but what do I know. that's why I was asking :) anyway, dog walkie time.	17:27
rbasak	mali: once a release is made, it generally isn't changed to keep it stable. This is the same as Debian and most other distributions. Arch is an exception	17:27
mali`aweeh	ye but you do patch security updates though through right?	17:27
rbasak	mali`aweeh: yes, and bugfixes are backported as well	17:27
mali`aweeh	so I agree, one wouldn't get the upstream version fix but	17:28
mali`aweeh	ya.. ok cool.	17:28
kraut	oO	17:28
rbasak	mali`aweeh: usually bugfixes are backported on request	17:28
mali`aweeh	I would expect perhaps a patch	17:28
rbasak	mali`aweeh: see https://wiki.ubuntu.com/StableReleaseUpdates for details of the policies and process	17:28
jdstrand	mali`aweeh: we have a team dedicated to providing security support for ubuntu. it is separate from the bug fix updates you initially asked about	17:28
mali`aweeh	ok good. so my initial question then, which was:	17:28
mali`aweeh	got ya jdstrand : and that is a paid service yes?	17:28
jdstrand	mali`aweeh: no. it is free	17:29
rbasak	mali`aweeh: no, it's not paid.	17:29
rbasak	mali`aweeh: you can follow the process yourself	17:29
jdstrand	mali`aweeh: fyi, https://wiki.ubuntu.com/SecurityTeam/FAQ	17:29
mali`aweeh	Nice.. thanks	17:30
mali`aweeh	so in general, say I find N patches to perform locally, which some are low/,edium priority , is it better to lock down my system for updates since I am patching myself?	17:31
mali`aweeh	thats the final question.. since there is info on this page	17:32
rbasak	mali`aweeh: if you do that you'll miss out of security and stable updates	17:32
rbasak	mali`aweeh: the best thing to do is to supply the patches and get them sponsored. If they conform to policy then they'll go in.	17:33
mali`aweeh	ye I know. that is why I am not sure what happens, if I still make locally patched versions of packages, and then wish to update other downstream fixes	17:33
rbasak	mali`aweeh: you can control the version number of your own packages, and you can use apt pinning to avoid getting updates for particular packages if you want	17:34
rbasak	mali`aweeh: you might want to look into PPAs as well	17:34
rbasak	https://help.launchpad.net/Packaging/PPA	17:34
mali`aweeh	okidokie. Well. In that case, I will patch it for now locally. repackage it. lock it. then continue ldap and all the other horsepulling mauling setup of stuff! :)	17:35
mali`aweeh	thanks for the help and time.	17:35
rbasak	no problem	17:36
raubvogel	If I am not mistaken, when you want to see the cert for a ldap server, you usually would do something like openssl s_client -connect ldapserver.domain.com:636 -showcerts	17:45
raubvogel	But, what if the ldap server only supports tls instead of ldaps?	17:45
mali`aweeh	I just find it funny now one has set up ldap on ubuntu server for 3 months or so, asking for this to be patched :p can confirm the old password thing still fails manually. i.e. the patch is needed. I will post it tonight if i ever get the time, sigh.	17:45
rbasak	mali`aweeh: I think ldap being fairly enterprisey is mainly used on the LTS release. Is this patch required there?	17:57
phretor	I've set the hard/soft nofile limits for my user into /etc/security/limits.conf but ulimits -n keeps displaying the default value (1024): Any clue?	17:58
mali`aweeh	rbasak, actually, true.. I am waiting for the new lTS release... and indeed I am using the oneirc as a testbed till it is out. I was just curious thought about the process, given the LTS releases still follow the same principles, right?	18:07
mali`aweeh	As I am waiting for new servers anyway in about a monnth, which I with a little hope. will coincide more or less with the new LTS	18:07
mali`aweeh	and I do have the 10.04 in a vm from yesterday , I could check but for now, I am not gonna get around to do anything for a few hours	18:08
mali`aweeh	rbasak, nevermind, I will patch it myself either tonight or tomorrow as I need to refresh the debian packaging system anyhow and in precise it will be fixed (I will chuck in a report on it if there isn't)	18:11
smoser	utlemming, i dont think that apt retry would change much.	18:27
utlemming	yeah, that's what my testing is proving	18:28
smoser	i'm not sure whether or not it will retry on a 403, and that is the only remotely "retryable" tihng	18:28
smoser	s/thing/error wer're seeing/	18:28
utlemming	smoser: http://paste.ubuntu.com/871898/	18:43
utlemming	smoser: if you fetch the file via wget/curl, its okay, while if you fetch via apt, it fails	18:44
smoser	but is that reproducible ?	18:44
smoser	ie, does it fial again for apt ?	18:44
smoser	or was it just transient and you not lucky with wget/curl	18:45
utlemming	I'm getting the failure consitantly on my instance now	18:45
smoser	can i come in ?	18:45
utlemming	I can reproduce it will....yup, give me a minute	18:45
utlemming	smoser: dns pinged to you privately	18:46
utlemming	apt is configured in debug mode	18:46
smoser	run by	18:47
smoser	run byobu, utlemming	18:47
smoser	and showme	18:47
utlemming	see the 403?	18:48
rbasak	thanks mali`aweeh. If you're not planning on deploying things in production until 12.04 is out, you might consider using 12.04 as your testbed now instead of oneiric. It's in beta, past feature freeze, it's mostly there apart from bugfixes, and that way you'll have an opportunity to get bugs that affect you fixed much more easily.	19:03
=== Lcawte\|Away is now known as Lcawte
=== sixstringsg\|away is now known as sixstringsg
=== marrusl_ is now known as marrusl
adam_g	smoser: yeah, same errors across different instance types too ive got nova-compute on one node, glance and everything else on another.	19:31
smoser	http://paste.ubuntu.com/871947/	19:31
smoser	and	19:32
smoser	http://paste.ubuntu.com/871940/	19:32
mali`aweeh	rbasak, in fact, that is a very good idea.	19:32
smoser	in yours (second one), it seems to me that init in the ramdisk must be failing very early	19:32
mali`aweeh	back, by the way. Grrr, I have installed a server now for the 5th time in 7 days hehe. but how long would you say till 12.04 is out? mid april?	19:33
adam_g	smoser: can you pastebin the libvirt template for the instance?	19:34
smoser	mali`aweeh, https://wiki.ubuntu.com/PrecisePangolin/ReleaseSchedule?action=show&redirect=PreciseReleaseSchedule	19:34
smoser	adam_g, that is from canonistack, so no, i cannot.	19:34
adam_g	ah	19:34
smoser	adam_g, can i get at your instance ?	19:35
mali`aweeh	ok end of april	19:35
smoser	er...	19:35
smoser	at your host	19:35
smoser	mali`aweeh, it will release on the 25th of april	19:35
smoser	ubuntu releases arrive on time	19:35
mali`aweeh	hmm, its pushing it for me but I might as well though run it and see if I can follow through.	19:35
mali`aweeh	ye, for me it doesn\t matter if its beta or oneiric atm so sure, am downloading now.	19:35
adam_g	smoser: ehh not really without a bit of work	19:35
smoser	mali`aweeh, wait. sorry, 26th.	19:36
uvirtbot`	New bug: #948320 in postfix (main) "main.cf should not refer to localhost" [Undecided,New] https://launchpad.net/bugs/948320	19:36
uvirtbot`	New bug: #948323 in ipxe (main) "Rom images for e1000 and ne2k missign vendor and device id" [Low,New] https://launchpad.net/bugs/948323	19:36
mali`aweeh	ya tis ok. I was hpoing to go live more around 14/15th but then again, I can't afford redundancy in servers enough to run arch which I admit would be my preference , besides, I need to reteach myself deb* style managment again	19:37
mali`aweeh	but I shall rarely ever forgive the desktop attempt of forcing unity on old timers ,p	19:38
lamont	I'm inclined to call 948320 a configuration error: localhost had better be resolvable	19:38
_ruben	and localhost is ::1 as well ;)	19:39
_ruben	and not being able to resolve localhost is indeed, well, atlteast troublesome :)	19:39
SpamapS	several RFC's require localhost to be resolvable and always treated specially	19:40
smoser	adam_g, so you have the fifo patch from rbasak ?	19:40
smb	smoser, note above ipxe bug. I think the quicker fix could be in xen (I am working on another report for that). KVM itself seems to work differently, so it does not seem to require the pci id in the rom header.	19:40
smoser	adam_g, you're in the initramfs at this point	19:42
smoser	so you might be able to reproduce just using the initramfs and kernel (kvm -kernel -initramfs -apend)	19:42
smoser	but i don't know.	19:42
smoser	as it seems to me like it is racy	19:42
smoser	you are using the fifo output ?	19:42
adam_g	smoser: adding --no-log to kernel parameters fixes it	19:45
adam_g	smoser: https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/936667	19:46
smoser	adam_g, i don't know that i understand (or believe) that :)	19:46
uvirtbot`	Launchpad bug 936667 in upstart "Upstart early job logging causes boot failure for systems with no initramfs (error is "No available ptys")" [High,Confirmed]	19:46
smoser	well, maybe now i believe it	19:47
zul	smoser: heh	19:47
smoser	but how did you get no initramfs	19:47
smoser	?	19:47
adam_g	smoser: no idea, just gave that a shot when i had a libvirt domain manually defined. adding it to the nova xml template gets me a booted instance	19:48
smoser	that doesn't make sense.	19:49
smoser	oh.	19:49
smoser	i see.	19:49
smoser	you registered a kernel	19:49
adam_g	smoser: http://paste.ubuntu.com/871975/ same instance	19:49
smoser	not disk image, but kernel.	19:49
smoser	ie, you used the tarball	19:49
adam_g	smoser: i extracted and used glance add..aki, glance add..ami	19:50
smoser	right.	19:50
smoser	so generally, you dont want to do that :)	19:50
smoser	its good you found this bug, but you really want the .img file, not the .tar.gz file.	19:50
adam_g	smoser: well, in theory that should work just as well as any other method, no?	19:51
smoser	well...	19:51
smoser	you want the .img file.	19:51
smoser	because it is a "full disk image" whereas inside the .tar.gz file there is only a partition image (or, rather a un-partitioned disk image).	19:52
smoser	the issue with the second is that there is no bootloader installed, so you have to supply a kernel	19:52
smoser	and in doing so, you will not be able to 'apt-get dist-upgrade && reboot' and get a new kernel.	19:52
smoser	ie, if you do, you'll reboot into that old kernel that you registered with.	19:52
adam_g	right	19:52
smoser	but yeah, other than that, it "should work"	19:53
smoser	:)	19:53
adam_g	smoser: whats the workflow for upload the .img? just 'glance add container_format=ami disk_format=ami < foo.img' with no aki specified?	19:54
smoser	i have to look in devstack.	19:54
smoser	cloud-publish-image ....	19:54
adam_g	ok	19:54
smoser	or cloud-publish-ubuntu	19:54
adam_g	ill check. i didnt know devstack did anything other than what i was doing	19:55
smoser	(you are more than welcome to make those 2 commands use glance and shortcut the ec2 api)	19:55
smoser	adam_g, you're right	19:56
smoser	glance add -A $SERVICE_TOKEN name="${IMAGE_NAME%.img}" is_public=true container_format=ami disk_format=ami ${KERNEL_ID:+kernel_id=$KERNEL_ID} ${RAMDISK_ID:+ramdisk_id=$RAMDISK_ID} < <(zcat --force "${IMAGE}")	19:56
smoser	adam_g, in essex is there a reasonable expectation that the above would be doable by a non-admin user ?	19:56
adam_g	smoser: yes, you dont need to be an admin to use the glance client.	19:57
smoser	if so, and we had bug 928378 fixed, then we could easily make cloud-publish-image upload to glance.	19:57
uvirtbot`	Launchpad bug 928378 in glance "glance client should be separate from server" [Medium,New] https://launchpad.net/bugs/928378	19:57
adam_g	smoser: AFAIK, in theory the images a regular user publishes are accessible by users associated with its tenant, unless is_public=true.	19:58
adam_g	ill check on that, though.	19:58
smoser	we'd just have to make bucket optional if nova path was taken (ie, normally it requireds 'arch, image, bucket' as inputs)	19:58
smoser	adam_g, i would like to do this.	19:59
smoser	as it would make people able to use 'cloud-publish-image' or 'cloud-publish-tarball' as a consistent'ish interface.	19:59
adam_g	smoser: im gonna get something to eat, get the regular .img published through glance w/o using any utils. i want to verify what i just said about users/tenants, too	19:59
adam_g	smoser: isn't glance client part of glance-common?	20:00
adam_g	(which alone doesn't pull in either server)	20:00
smoser	$ dpkg -S `which glance`	20:00
smoser	glance-common: /usr/bin/glance	20:00
smoser	it appears to be now.	20:00
soren	Doh.	20:01
soren	Oh, that's the client?	20:01
smoser	yeah.	20:01
soren	s/Doh//	20:01
smoser	so thats a good thing.	20:01
soren	Yeah.	20:01
adam_g	it perhaps should be seperated into its own package though	20:01
smoser	but 'glance-client' would be better.	20:01
smoser	yeah.	20:01
adam_g	glance-common should contain common dependencies for the servers, not the client	20:01
* adam_g lunch		20:02
zul	agreed	20:06
=== sixstringsg is now known as sixstringsg\|away
smb	zul, smoser, bug 948333 (I tried to be helpful by providing a debdiff ;))	20:17
uvirtbot`	Launchpad bug 948333 in xen "Xen: pxeboot for e1000 emulation not working" [Medium,In progress] https://launchpad.net/bugs/948333	20:17
zul	smb: ill get to it tonight	20:18
smb	zul, Cool, make sure I did not mess up any formalities (changelog and style) its kinda latish	20:18
zul	smb: ack	20:19
smoser	smb, thank you. zul thank you.	20:19
uvirtbot`	New bug: #939766 in nova "python-novaclient flavor-list is broken against nova diablo/stable" [High,Fix released] https://launchpad.net/bugs/939766	20:43
zul	bbl	20:51
Daviey	smb: Great contribution !!	21:07
Daviey	smb: I am suprised xen is still using etherboot, i thought we switched over to ipxe	21:08
=== uvirtbot` is now known as uvirtbot
utlemming	smoser: I found the cause of the S3 Hashsum/Size mismatch: Bug 948461	21:29
uvirtbot	Launchpad bug 948461 in apt "apt-get hashsum/size mismatch due caused by swapped local file names" [Undecided,New] https://launchpad.net/bugs/948461	21:29
robbiew	SpamapS: https://bugs.launchpad.net/ubuntu/+source/chef/+bug/948437	21:31
uvirtbot	Launchpad bug 948437 in chef "Remove unsupported release from Precise" [Undecided,New]	21:31
robbiew	https://bugs.launchpad.net/ubuntu/+source/ohai/+bug/948438	21:31
uvirtbot	Launchpad bug 948438 in ohai "Remove unsupported release from Precise" [Undecided,New]	21:32
robbiew	...and boom goes the dynamite :/	21:32
smoser	utlemming, that doesn't make any sense.	21:32
smoser	packages.bz2 shows python-defer has md5sum of 3653165af1f20a437a14632ce0a2e6c2	21:32
smoser	but the 'Get:65' showed that 'aptdaemon' had that	21:33
SpamapS	robbiew: ACK	21:33
smoser	and per 'md5sum *' , xul-ext-ubufox_2.0-0ubuntu1 had that!	21:33
utlemming	smoser: yup	21:33
utlemming	smoser: I'll let you take a look at the evidence	21:33
=== koolhead17 is now known as koolhead17\|afk
smoser	that just seems like a really unlikely race condition.	21:36
smoser	i dont trus the log output	21:36
smoser	as it could just be serialized badly	21:36
smoser	but the file you have on disk there definitely seems to have different content than its name implies	21:36
utlemming	I've ping you the DNS name	21:36
uvirtbot	New bug: #948447 in lxc (universe) "Starting an LXC changes the volume (sound!) of the host" [Undecided,New] https://launchpad.net/bugs/948447	21:38
smoser	utlemming, i'm just trying to think of how that could happen.	21:47
utlemming	smoser: I'm pulling the code now to see if I can make heads or tails of it	21:48
smoser	uless you're lying to me, and you must renamed those files as a joke, i have no idea what would do that :)	21:49
utlemming	lol	21:49
utlemming	believe me, I wish it was _that_ simple	21:49
=== sixstringsg\|away is now known as sixstringsg
uvirtbot	New bug: #948481 in telepathy-mission-control-5 (main) "adjust Build-Depends to include dh-apparmor" [Low,Triaged] https://launchpad.net/bugs/948481	21:56
smoser	utlemming, how does htis fail?	22:15
utlemming	smoser: this one is either a hashsum or size mismatch	22:15
smoser	you attached the wrong file in comment 2	22:15
smoser	(you attached a screenshot)	22:15
smoser	please do attach the output correctly there.	22:16
smoser	and then also, see if you can't reproduce on oneiric	22:16
utlemming	lol that was entertaining	22:16
smoser	or even, try installing oneiric apt on precise and see.	22:17
* utlemming tries replicating with oneiric		22:17
smoser	and have you actually seen this on non-s3 mirrors ?	22:17
utlemming	I have, but _very_ rarely	22:17
smoser	fyi, you can potentially short cut this with --download-only for apt	22:17
smoser	(assuming it goes through the file checks in that path)	22:18
smoser	utlemming, https://bugs.launchpad.net/linaro-android-infrastructure/+bug/932088 bug they're not on precise.	22:18
uvirtbot	Launchpad bug 932088 in ubuntu "Ubuntu EC2 package mirror intermitent failures" [High,Confirmed]	22:18
smoser	so either that is not related to this, or they are seeing in on natty even.	22:19
smoser	anyway.	22:19
smoser	i've got to run.	22:19
utlemming	k, I'll see where I can replicate this	22:19
smoser	good sleuthing, utlemming	22:19
smoser	you should maybe tag bugs that have mention of the ec2 mirrors with a given tag	22:20
smoser	so we can remember them easily	22:20
smoser	utlemming,	22:20
utlemming	ec2-s3-mirrors	22:20
smoser	well, i'd skip 's3-mirrors'	22:20
smoser	er...	22:20
smoser	skip 's3'	22:20
smoser	but i dont know	22:20
smoser	i just want to see the others too	22:20
smoser	maybe tag for that too	22:21
utlemming	"all-hail-smoser"?	22:21
smoser	exactly	22:21
=== Lcawte is now known as Lcawte\|Away
=== sixstringsg is now known as sixstringsg\|away
uvirtbot	New bug: #948559 in vlan (main) "eth* NIC names hardcoded" [Undecided,New] https://launchpad.net/bugs/948559	23:48

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!