[00:20] <uvirtbot`> New bug: #947617 in lxc (universe) "After update, lxc does not start" [Undecided,Confirmed] https://launchpad.net/bugs/947617
[00:35] <kieppie> hi guys. are there any details available re virt for the upcoming 12.04 release? I'm thinking of re-installing my new host once it's released, and I'd like to know what to expect. I saw "openstack" as an option when I installed a desktop beta
[00:39] <SpamapS> kieppie: openstack isn't really "virt" as much as "api + management + scaleout of virt"
[00:39] <SpamapS> kieppie: for just a single box.. libvirt is still good
[00:41] <kieppie> thanks for that, SpamapS: I'm still running LTS 10.04.x on my production box, so I'd like to upgrade to the new stack with the next release.
[00:42] <kieppie> using KVM + libvirt
[00:42] <kieppie> if oVirt (I think?) is production-reasdy & in the repo or a stable PPA by then, that would be nice
[00:42] <SpamapS> kieppie: yeah not much has changed there.
[00:43] <kieppie> thinkning about building a HA/faIL-OVER CLUSTER WITH REDUNDENT RESOURCES
[00:43] <SpamapS> kieppie: ovirt is not included AFAIK
[00:43] <kieppie> sry (caps)
[00:43] <kieppie> what's the other one....?
[00:43] <SpamapS> no clue.
[00:44] <kieppie> convirt/convirture 2 - that's the one...
[00:44] <kieppie> also, would be nice to get the desktop-virt going, with SPICE
[00:45] <kieppie> but I can't find much of the way of news or what to expect on the server-side/virt-side re the next release - much of the focus has been on the desktop/UI advances
[00:47] <SpamapS> kieppie: spice has had some work done
[00:47] <kieppie> yea - I figured.... really looking forward to that....
[00:47] <SpamapS> kieppie: the release notes tend to solidify very late in the cycle
[00:49] <SpamapS> kieppie: The biggest change is definitely OpenStack vs. Eucalyptus as the cloud service in main
[00:49] <kieppie> SpamapS: is there anything I could look at now that  could give me some insight or get me exited?
[00:49] <kieppie> please?
[00:50] <SpamapS> kieppie: I wrote this blog post a bit ago that talked about the stuff done over the last 2 years, but it is not really virt focused: http://fewbar.com/2012/03/precise-is-coming/
[00:50] <kieppie> cheers
[00:52] <kieppie> hehehe - pic looks familiar. ran across this page not that long ago :)
[00:58] <kieppie> what is Juju? I've encountered it, but not really paid much attention.
[00:58] <kieppie> is JuJu to services/SaaS what chef/puppet is to PXE hosts?
[00:59] <SpamapS> kieppie: Its not a perfect map. I say juju is to chef/puppet as apt-get/dpkg are to './configure && make && sudo make install'
[00:59] <SpamapS> kieppie: the idea is that you just want a service, not necessarily a server.
[01:00] <kieppie> interresting.....
[01:00] <kieppie> extremely abstract, though. quite a departure from what I'm used to
[01:03] <SpamapS> kieppie: its quite concrete when you think about how you actually want to deploy stuff though.
[01:04] <SpamapS> kieppie: instead of trying to figure out how to deploy stuff *AND THEN* integrate with it.. you just deploy it, then figure out how to integrate with it.
[01:06] <kieppie> if I understand it (probably very poorly), this could be a great way of fluidly managing services across clusters, local or remote. not unline AC2 instances, etc with OpenStack, Orchestra, Bitnami, TurnkeyLinux, etc
[01:06] <kieppie> (talking *VERY* broad strokes here)
[01:08] <j2daosh> anyone know how to make the hostname of a system report to a router?
[01:09] <SpamapS> j2daosh: report?
[01:09] <SpamapS> j2daosh: like, with dhcp?
[01:09] <EvilResistance> j2daosh:  report in what manner?
[01:09] <j2daosh> all the windows systems in the house, an apple, and a redhat server report their hostnames to my router, but my ubuntu/debian boxes wont
[01:09] <SpamapS> kieppie: yeah, bitnami and turnkey are similar ideas, though they still focus too much on the server.
[01:16] <j2daosh> basically i want the hostname to show up on my router statistics page and be able to 'ssh $host' from any system on the network. I don't have any system running as a DNS server so I am not sure how all the windows/redhat/apple systems are able to resolve to a IP from a hostname
[01:19] <SpamapS> j2daosh: for the ssh $host .. avahi might get that done.. I use 'ssh $host.local' on my work without help from the router
[01:19] <SpamapS> j2daosh: for the other bit, ubuntu should be sending the hostname in dhcp requests already
[01:20] <j2daosh> hmmm
[01:20] <j2daosh> I set static networking though
[01:21] <j2daosh> did i miss an option for it somewhere?
[01:21] <SpamapS> possibly
[01:21] <j2daosh> hmm, i'll go back thru settings and look. thanks for the tip
[01:58] <Zac_o_O> Hi all!  I have disks that are set to spindown in hdparm.conf, not being woken up by smartd (desired), and noatime set.  The disks spin up after only a few minutes of sleeping.  How do I figure out what's waking them up?
[02:01] <nguyenthientam1> Hi, I want to intall https on apache , help me
[02:16] <Zac_o_O> anyone?
[02:46] <TeTeT> Zac_o_O: maybe try a fuser on the filesystem?
[02:47] <Zac_o_O> TeTeT: a fuser?
[02:48] <TeTeT> Zac_o_O: a command for checking which process accesses a file, try fuser /
[02:48] <Zac_o_O> TeTeT: nice! I'll try that
[02:49] <Zac_o_O> TeTeT: So I'll do fuser on the mount point/director where this disk is mounted?
[03:44] <ghost13> question: is there a script that can display the contents of tailf /var/log/auth.log | grep Failed to a webpage so i can see it live as my ssh is attacked?
[03:45] <twb> ghost13: yes, fail -f /var/log/auth.log | grep Failed >> ~/public_html/index.txt
[03:45] <twb> s/fail/tail/
[03:46] <twb> But you would do better to 1) fix your ssh so it can't be attacked in the first place; and 2) use logcheck to have it deliver hourly reports via email instead.
[03:46] <ghost13> i have denyhost installed so after 10 failed attempts there locked out.
[03:47] <ghost13> is logcheck installed by default?
[03:47] <twb> http://cyber.com.au/~twb/doc/iptab.ips
[03:47] <twb> logcheck is not installed by default.
[03:47] <ghost13> ok thanks..easy config in terminal?
[03:47] <twb> You may have heard of logwatch; that does broadly the same thing but is IMO worse, because it must be told specifically to watch for things, whereas logcheck will report anything is has not been told is safe to ignore.
[03:48] <ghost13> ahh.. just what i was looking for but gave up on that. ill look into it. thanks again
[03:48] <twb> ghost13: it basically does an egrep -v over your logfiles, so yes, simple to configure.
[03:48] <twb> You will need to ensure that the system can actually deliver mail to you, of course.
[03:49] <twb> Also syslog-summary is useful for compressing logs that are very repetetive
[03:49] <ghost13> it does send to my gmail but..it is from michael@local ?? not my host name and i am running noip
[03:49] <twb> I have all my systems log to a central logserv, and only it runs logcheck.
[03:49] <twb> ghost13: then you need to fix your MTA
[03:50] <twb> ghost13: probably by setting /etc/mailname correctly and restarting postfix, but it all depends.  /topic mentions the 10.04 admin guide which explains how to set up postfix.
[03:50] <ghost13> will fix my mta and just to make me feel envy..how many systems (servers) you running?
[03:51] <twb> http://paste.debian.net/158719/ and http://paste.debian.net/158720/
[03:51] <twb>  
[03:51] <twb> ...show example output from logcheck w/syslog-summary and appropriate additional site-specific whitelisting.
[03:51] <twb> The hugin "security" issue is one that has been raised in priority so it stands out, because it is collectd indicating a disk is nearly full
[03:53] <ghost13> do you run a single server for each task? ssh, httpd, etc?
[03:53] <twb> ghost13: about one full rack of physical servers, plus about 25 virtual ones, a couple of APs running OpenWRT, a couple of LJ4s, and a hot desk workstation.
[03:53] <twb> ghost13: I run one container per service, more or less.
[03:54] <ghost13> fun fun, running 3 services on one laptop hooked into dd-wrt. running ok but hadnt seen much pressure yet :)
[03:55] <ghost13> is running virtual servers more or less like vhost on apache? or is it for running apps?
[03:56] <twb> It is more different than similar
[03:56] <twb> https://en.wikipedia.org/wiki/LXC are "containers", they are very similar to BSD jails or Solaris zones.
[03:57] <ghost13> never quite got into that yet.
[03:57] <adam_g> zul: https://code.launchpad.net/~gandelman-a/nova/patch_fixups/+merge/96050  here is that merge that fixes the patches again. this and future proposals should just merge clean into the ubuntu-server-dev branches
[03:57] <twb> If you are used to KVM VMs, you can think of containers as very low-overhead VMs that are less secure.
[03:57] <ghost13> ahh ok.
[03:58] <twb> Sometime when speaking in general I (and others) may refer to containers as another kind of VM, even though this is not strictly accurate
[03:59] <EvilResistance> how can you set a repository's priority for every package *except* certain packages?
[04:04] <twb> EvilResistance: set the repo prio, then set the package prio
[04:04] <twb> This in in apt_preferences(5) or so IIRC
[04:17] <EvilResistance> twb, thanks
[05:17] <linocisco> I have one ubuntu server with two NIc cards with different subnets, one card is connected to LAN. one card is connected to Internet. I want to setup route between two cards on server.
[05:18] <linocisco> what do I do?
[05:25] <linocisco> I have one ubuntu server with two NIc cards with different subnets, one card is connected to LAN. one card is connected to Internet. I want to setup route between two cards on server.
[05:26] <linocisco> I have one ubuntu server with two NIc cards with different subnets, one card is connected to LAN. one card is connected to Internet. I want to setup route between two cards on server so that client from LAN can lookup DNS from that ubuntu server.
[05:30] <twb> !repeat
[05:36] <uvirtbot`> New bug: #947744 in apache2 (main) "$ anchor doesn't work in Directory ~ regexp" [Undecided,New] https://launchpad.net/bugs/947744
[05:55] <TeTeT> linocisco: the server just need to have ip forwarding between the cards enabled, it doesn't need a route, as it can access both networks. the clients however need to have the servers lan address as gateway. when the server also provides DNS, it needs to be supplied in the nameserver config, /etc/resolvonf. Usually DNS server are set via DHCP dynamically
[06:00] <lucascastro> linocisco:  take a look at ubuntu server guide, firewall
[06:26] <linocisco> TeTeT
[06:27] <linocisco> TeTeT, hi thanks for your explanation. I m looking for ip forwarding. acutally my server external card is connected to Host which has got internet from physical gatway. my server is on VM
[06:27] <linocisco> TeTeT, also my client is on VM
[06:29] <TeTeT> linocisco: you can check on the server with cat /proc/sys/net/ipv4/ip_forward if forwarding is enabled at all, should be 1
[06:29] <TeTeT> linocisco: on the VM, depending on the tech used, there might be firewall rules on the host that may make it harder
[06:37] <linocisco> TeTeT, What I am confusing is that i installed bind9 on that server. so I put that serveritself's IP in resolv.conf so that client can point. but server also has original DNS server got via DHCP entries. what do I do?
[06:44] <TeTeT> linocisco: the server does not strictly use itself as DNS server, but it may, as it speeds up due to caching. You don't need the DHCP servers if bind is configured correctly
[06:44] <TeTeT> linocisco: make that: does not need to strictly use itself ...
[06:51] <linocisco> TeTeT, I have vbox installed on my WindowXP host, which got internet from office router, ubuntu server got internet access from host via NAT. though I installed bind9. mine is still getting DNS from host
[06:53] <TeTeT> linocisco: well, NAT is quite evil when you want to set up routing, as the route has to go through your host. I don't think I can support you with this. I recommend changing the network structure of the guests to bridged, if possible
[06:54] <linocisco> TeTeT, all guest OS( ubuntu server and windows client)'s networking mode into bridge?
[06:55] <TeTeT> linocisco: that's what I did on my ubuntu desktop system with lots of vms on it, makes networking easier, IMO
[06:56] <linocisco> TeTeT, okok bro. so I have two cards on ubuntu server. should I also make both cards to bridge mode?
[06:57] <TeTeT> linocisco: really depends on what you want to achieve, two virtual cards bridged to the same LAN don't look to useful to me
[06:57] <bluefrog> linocisco, you should ask yout IT admin to help you
[06:57] <linocisco> bluefrog, I am the IT guy
[06:58] <bluefrog> linocisco, then you should start reading (no offense) seriously
[06:58] <bluefrog> linocisco, basically all stuff  I read is kind of basic IT knowledge
[07:00] <bluefrog> linocisco, so depending on what you want to achieve, you should take care security wise. don't expose your intranet to internet and so on...
[07:30] <linocisco> hi
[08:17] <gvandeweyer> has anybody tested the ubuntu server lts 10.04.4 on a dell optiplex 990? in the previous version, the nic was not recognised, forcing to upgrade to a non-lts version
[08:22] <twb> gvandeweyer: run lspci -nn
[08:22] <twb> gvandeweyer: pastebin the result into kmuto.jp; it will tell you what is supported by what kernel
[08:22] <twb> If you mean "previous versions of 10.04", they all have the same kernel, so support will be unchanged
[08:23] <twb> http://kmuto.jp/debian/hcl/ that is
[08:30] <gvandeweyer> twb: I read that there was backported hardware support in 10.04.4, that's why i asked.
[08:30] <gvandeweyer> thanks for the lspci hint
[08:31] <twb> Oh, yeah, possibly if you enable backports and pull in a newer kernel
[08:31] <twb> I tend to avoid backports
[08:31] <twb> Anyway 12.04 is coming out in a month, so you might as well aim for that
[08:32] <gvandeweyer> 'pull in a new kernel' is an issue if you don't have ethernet support :-)
[08:32] <gvandeweyer> indeed, I just might wait for 12.04.
[08:32] <twb> gvandeweyer: uh, so put in a temporary second nic
[08:33] <twb> Or use apt-walkabout, or ethernet over firewire, or whatever.
[08:33] <twb> Use some INITIATIVE man
[08:34] <gvandeweyer> :-)
[09:03] <uvirtbot`> New bug: #947804 in lxc (universe) "Unable to start lxc instances" [Undecided,New] https://launchpad.net/bugs/947804
[09:25] <lynxman> morning o/
[10:06] <linocisco> hi all
[10:07] <linocisco> I found ip_foward is always 0 however I edited or changed via nano. into 1
[10:07] <linocisco> what do I do?
[10:11] <rbasak> linocisco: it probably won't work if you use an editor, since it's not a normal file and the editor will try and rename a new file over the top.
[10:11] <linocisco> so what do I do?
[10:11] <rbasak> linocisco: use "echo 1 > ip_forward" instead of "nano ip_forward" (and fix the path if you're in a different directory)
[10:12] <linocisco> I tried "echo 1 > /proc/sys/net/ipv4/ip_forward"
[10:12] <rbasak> linocisco: this will only change it until next reboot. To keep it persistent across reboots, edit the file /etc/sysctl.conf (you can use nano for that)
[10:12] <rbasak> linocisco: that should work if you're root. If you're trying to use sudo, it won't work directly, since the redirection is done as the user. I use "sudo -i" to get a root prompt first.
[10:13] <linocisco> rbasak, but my client could not ping to external card's gateway
[10:13] <rbasak> linocisco: does "cat /proc/sys/net/ipv4/ip_forward" now say 1?
[10:14] <linocisco> rbasak, yes. it is now 1
[10:14] <rbasak> OK, so then you have some other problem. Perhaps routing or firewall.
[10:15] <linocisco> rbasak, i can ping to external card's IP of ubuntu server from my XP client
[10:16] <rbasak> Are you sure you don't need NAT?
[10:20] <linocisco> rbasak,  i need nat
[10:20] <linocisco> echo 1 > /proc/sys/net/ipv4/ip_forward is not ok?
[10:21] <rbasak> linocisco: no, that will only enable forwarding without nat
[10:21] <rbasak> You need to add nat rules as well
[10:21] <_ruben> assuming you want that to be permanent (persistent across reboots), you should edit /etc/sysctl.conf instead (or probably even better, add a file to /etc/sysctl.d/)
[10:21] <rbasak> http://www.netfilter.org/documentation/index.html#documentation-howto - there's a nat howto
[10:21] <linocisco> ya
[10:27] <Daviey> jamespage: Hey, are you touching ci this week?
[10:30] <linocisco> rbasak, I think I just need only one line like that" iptables -t nat -A POSTROUTING -o [external NIC card] -j MASQUERADE
[10:30] <linocisco> " , right?
[10:38] <linocisco> rbasak, how to check existing iptables command?
[10:38] <linocisco> rbasak, how to check existing iptables commands?
[10:38] <linocisco> rbasak, how to check existing iptables commands which has been entered?
[10:53] <diplo> linocisco, iptables -L
[10:53] <linocisco> diplo, and then?
[10:53] <diplo> That will list iptables rules
[10:54] <diplo> Good read here for basics : https://help.ubuntu.com/community/IptablesHowTo
[11:02] <linocisco> diplo,
[11:02] <linocisco> I found Chain input/chain forward and change output with heading
[11:13] <jamespage> Daviey: yep
[11:15] <linocisco> entering "/sbin/iptables -P FORWARD ACCEPT
[11:15] <linocisco> " in rc.local is correct?
[11:26] <jamespage> jodh, whats the best way to programatically determine the status of a service?  grep the output of service XX status?
[11:27] <jamespage> Daviey, I see lots of discussion last night - what needs doing?
[11:30] <jodh> jamespage: you can do that, or maybe use the D-Bus interface if that's more appropriate for your needs? If you care about being notified of state changes, use D-Bus.
[11:30] <jamespage> jodh, hmm - now that is an interesting idea
[11:34] <linocisco> hi
[11:35] <linocisco> i can now ping to gateway of external card
[11:35] <linocisco> but proxy is not ok yet though I have edited in squid
[11:40] <linocisco> hi
[11:51] <linocisco> I followed that https://help.ubuntu.com/11.04/serverguide/C/squid.html. but client don't get interenet through squid yet
[12:00] <linocisco> my squid doesnot work yet
[12:29] <aibo> hi after boot I'm getting clean /etc/resolv.conf, I need to store nameserver permanently, how can I do it?
[12:32] <aibo> oh, solved
[12:39] <soren> zul: Why did the adduser call in keystone get moved to preinst?
[12:40] <zul> soren: i was trying to break up the posinst before it got too big
[12:42] <soren> zul: By moving half of it into the preinst?!?
[12:43] <zul> soren: yep
[12:43] <soren> zul: You do understand they serve different purposes, right?
[12:43] <zul> soren: right
[12:43] <soren> zul: So you can't just move stuff back and forth willy nilly.
[12:50] <zul> right
[12:50] <zul> it will be fixed in the next upload
[12:50] <zul> i dont know how yet but it will
[13:01] <soren> zul: Don't... know... how? Just move it back?
[13:01] <zul> soren: probably
[13:01] <soren> zul: You said you moved it because the postinst was getting too big.
[13:01] <zul> soren: im going to play with it this week
[13:02] <zul> anyways i have to drop liam off at the bus bbl
[13:02] <soren> Have fun.
[13:02] <zul> and freeze my arse off at the same time :)
[13:08]  * koolhead11 burps
[13:17] <Daviey> soren: Hmm, if it's just adduser handling, what issues do you expect to see, between doing it in the postinst or preinst?
[13:21] <eutheria> i would like to backup my lucid server to a remote host, I tried duplicity because of its encryption, however it seems to be fairly buggy, can anyone suggest an alternative?
[13:28] <pmatulis> eutheria: rsync
[13:30] <eutheria> pmatulis, with encryption?
[13:31] <eutheria> if duplicity was more reliable it would be fantastic, for backing up to a remote host securely
[13:31] <soren> Daviey: First of all, it was done without adding a Pre-Depends on adduser.
[13:32] <soren> Daviey: But that aside, adding users typically happens in postinst. It was *moved* into preinst. There could be reasons why this is needed. I just don't seem them.
[13:33] <soren> Daviey: "Make postinst shorter".. not a good reason.
[13:33] <Daviey> soren: To be fair, on Ubuntu, this is just a lintian warning.  I've *read* your views on trivial lintian warnings :)
[13:34] <soren> Daviey: What is just a lintian warning? The lack of Pre-Depends?
[13:34] <Daviey> soren: yes
[13:35] <pmatulis> eutheria: yes, rsync can use ssh encryption
[13:36] <zul> good morning
[13:36] <eutheria> pmatulis, not the network layer, the file system of the remote machine is where i need the encryption
[13:36] <soren> Daviey: How is it deemed just a warning when it'll make the install fail?
[13:37] <Daviey> soren: How many Ubuntu boxes do you know that don't have adduser installed?
[13:37] <Daviey> Whilst it isn't Priority: required, it is in base, right?
[13:38] <Daviey> s/base/minimal/
[13:39] <soren> Daviey: It *is* priority: required.
[13:39] <soren> Daviey: And there is a Depends: on it. But there's no PRe-depends. But this is not the point.
[13:39] <Daviey> is it?
[13:39] <soren> The point is that postinst and preinst aren't the same thing.
[13:39] <Daviey> $ dpkg -I adduser_3.113ubuntu2_all.deb  | grep Priority Priority: important
[13:40] <Daviey> line break fail, but ygti
[13:40] <soren> So if you move stuff between them, I sure hope, there's a better explanatino that "the other one was getting too big".
[13:40] <soren> Daviey: That may be what the package claims.
[13:40] <soren> Daviey: The archive says otehrwise.
[13:41] <soren> otherwise, even. apt-cache show adduser | grep Priority:
[13:41] <soren> Priority: required
[13:42] <Daviey> soren: true dat
[13:42] <rbasak> eutheria: use LUKS or ecryptfs on the remote end?
[13:42] <Daviey> soren: so either way, do you agree that it is little more than a lintian warning?
[13:43] <rbasak> eutheria: or if you want to use an external provider, take a look at tarsnap
[13:43] <eutheria> rbasak, i have no control over the backend
[13:44] <rbasak> eutheria: duplicity is the only answer I know of then.
[13:44] <eutheria> duplicity seems great but buggy
[13:45] <soren> Daviey: I don't get wound up about what Lintian says. It's an unexplained change that I wondered about. The answer left me wondering even harder.
[13:45] <Daviey> soren: ok, fair comment.
[13:47] <koolhead11> nijaba: around
[14:36] <jamespage> Daviey: you pinged me earlier about CI?
[14:37] <Daviey> jamespage: ah yes.. Wanted to know what ws in the works for this week?
[14:38] <jamespage> Daviey: refactoring to make the tarball creation/build process more re-usable
[14:38] <jamespage> figuring out the best way to manage all of the jenkins jobs...
[14:38] <jamespage> generally consolidating everything that had been done to-date
[14:38] <Daviey> jamespage:Have you ben tracking tempest integration ?
[14:39] <Daviey> and juju as a client test?
[14:40] <jamespage> Daviey: tempest integration - no adam_g is point on that
[14:41] <jamespage> juju as a client test == new requirement so I'm guessing no work has been done on that
[14:41] <jamespage> we are still running devstack in the lab
[14:42] <uvirtbot`> New bug: #932800 in glance (main) "New glance dependency: ca-certificates" [Medium,Fix released] https://launchpad.net/bugs/932800
[14:42] <Daviey> jamespage: sorry, what is devstack doing?
[14:42] <Daviey> the exercise.sh?
[14:42] <jamespage> yep
[14:49] <koolhead11> BTW before i could think of it uksysadmin has already made this simple script for keystone https://github.com/uksysadmin/OpenStackInstaller/blob/essex/keystone-services.sh
[14:50] <koolhead11> am testing it from ubuntu keystone package
[14:54] <lynxman> jamespage: do you have 5 mins for a packaging doubt I have? If so dm me pls
[14:55] <jamespage> lynxman, sure
[14:56] <lynxman> jamespage: thanks :)
[15:18] <koolhead11> thanks to zul Daviey i can sleep in peace tonight!! :)
[15:35] <stgraber> jjohansen: any news on a fixed apparmor? we started getting bug reports of broken lxc...
[15:40] <mali> hey.. I notice slappasswd does not handle passwords wello. it would seem it is most likely the same iossue which seems to have been patched in january by debian aka, passwd field is not encloised by brackets. So what is the best way for me to patch my server... wait for you or sort it out myself?
[15:51] <uvirtbot`> New bug: #948115 in mcollective (universe) "Detect if system is running upstart seems wrong" [Undecided,New] https://launchpad.net/bugs/948115
[15:51] <jjohansen> stgraber: sorry fixed the bug I was expecting and turned up more, I am running through some testing on the latest set of patches now
[15:52] <stgraber> jjohansen: ok
[16:31] <uvirtbot`> New bug: #948156 in php5 (main) "Include PHP 5.4 to Ubuntu 12.04  release" [Undecided,New] https://launchpad.net/bugs/948156
[16:31] <uvirtbot`> New bug: #948157 in ntp (main) "package ntp 1:4.2.4p8+dfsg-1ubuntu2.1 failed to install/upgrade: sub-processo script post-installation instalado retornou estado de saída de erro 1" [Undecided,New] https://launchpad.net/bugs/948157
[16:35] <therve> hi there
[16:35] <therve> my nice rabbitmq fix got bumped with the latest upgrade, anything I can do about it?
[16:37] <therve> #913464 fwiw
[16:37] <jamespage> lynxman, ^^ know you are working on rabbitmq to tidy up stuff - can you re-instate the fix for bug 913464
[16:37] <uvirtbot`> Launchpad bug 913464 in rabbitmq-server "rabbit creates new PAM session" [Medium,Fix released] https://launchpad.net/bugs/913464
[16:38] <therve> jamespage, thanks :)
[16:38] <lynxman> jamespage: yessir
[16:38] <jamespage> lynxman, ta
[16:38] <jamespage> therve, np
[16:39] <lynxman> jamespage: actually I already had it in mind, it was in the diff (looking at it)
[16:39] <jamespage> sweet
[16:40] <mali> hi, which channel is a normal linux support chan_
[16:41] <mali> ubuntu+1_
[16:41] <zul> adam_g: can you review the glance ubuntu/debian merge proposal please
[16:44] <adam_g> zul: yeah, just added a comment about a typo in patch
[16:44] <adam_g> zul: will look closer in a bit and build some test packages
[16:44] <zul> adam_g: typo in which patch?
[16:45] <adam_g> zul: the one that sets the default pipeline/paste flavor
[16:45] <zul> adam_g: ah ok
[16:46] <adam_g> zul: also, https://code.launchpad.net/~gandelman-a/nova/patch_fixups/+merge/96050 this syncs patches back to a known working state
[16:46] <zul> kk
[17:05] <mali> hey guys
[17:05] <mali> finally
[17:06] <mali> I noticed that in slapd when configuring for the ldap admin password, "advanced passwords" often faiil, due to the slappasswd script doesn't enclose the variable in "" . What is the best thing for me to do to patch this?
[17:06] <mali> patch it locally then lock down my version?
[17:07] <mali> kinda sounds like security updates can easily break.. or do I give ya the patch and ask why , since this was fixed in january in debian and upstream around then.. it still isn't in ubu? :_p
[17:10] <rbasak> mali: this fix isn't in the current development version?
[17:12] <rbasak> mali: and do you know in which version it was fixed in Debian?
[17:12] <mali> I  just came back to ubutnu server ONLY for server reasons and not ever desktop reasons again so I woudln't lknow. I can only say looking at this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635931 and the patch http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=slappasswd.patch;att=1;bug=635931 upstream and debiaN fixed this already in jan
[17:12] <uvirtbot`> Debian bug 635931 in slapd "slapd fails to install due to configuration error" [Normal,Fixed]
[17:13] <rbasak> OK so this was fixed in Debian in 2.4.28-1
[17:14] <mali> I can confirm that on the oneiric server I installed today and running the sscript iot fails with my 35ish character long password and does seem however to work if I do ot manually (slappasswd) and enclose with " although I think that becomes part of the password. dpkg-reconfgure does seem to wkr after I reran it manually
[17:14] <rbasak> Ubuntu precise is on 2.4.28-1.1ubuntu3 so it probably has the fix.
[17:14] <mali> (I am checking now.. I haven't been on ubuntu , you see, since
[17:14] <rbasak> Oneiric is on 2.4.25-1.1ubuntu4.1
[17:14] <mali> ah ok, so precise server is out or in beta?
[17:14] <rbasak> Beta
[17:14] <mali> ya ok. I see.
[17:15] <mali> thank you rbasak . Does this mean then I have to patch a lot of stuff myself for about 3-6 months on a production server, in general?
[17:15] <rbasak> The bug was fixed in Debian only in January, and Oneiric was released in October. Hence it won't be expected to have the fix unless there's an SRU.
[17:16] <mali> ok. I know it is not a threat as such, except, it doesn't allow for rather ore secure passowords, which for me... being the root password for ldap, is rather half important.
[17:16] <mali> so I am just trying to get my head around how it the ubuntu server team works. Sorry if I seem outdated on this as I am.
[17:18] <mali> but given Canonical and Debian as such is more voluntary or so... how come it goes slower on ubuntu ? (please bear my ignorance as I left Ubuntu Studio at the time due to this unity thing they had) no sure if it still will be in ubuntu but I am only here for the ubuntu server.
[17:18] <rbasak> mali: if you want, you can request an SRU: https://wiki.ubuntu.com/StableReleaseUpdates
[17:18] <rbasak> mali: brb
[17:20] <mali> no , it's ok rbasak : sorry , it is just me who kinda not used to seeing if server / desktop follow similar methods of update.. and also getting used to ubuntu server options as I am starting some businesses but will be setting up most of the infrastructure on th eproduction systems myself along with an admin and two i will enlist. For now I am doing testing to see which system to go for.
[17:21] <mali> I suspect BSD should be the winner but since I was always a linux bloke, I am sticking to it. I am on arhc linux now which is so amazing but I just can't think quite rolling release might be dodgy on server systems in a small business.
[17:22] <mali> A huge business with many redundant servers and a large team for testing , for sure it is the best but ye. I do hmmm, worry a bit if certain updates might be slow. Although this is not a security issue more than indirectly (simple passwords do not fail but which production server would use simple passwords)
[17:24] <kraut> i just went into some creepy situation with ecryptfs on nfs... http://pastebin.com/j0JbCwYn
[17:24] <kraut> is that interesting for you?
[17:25] <rbasak> mali: Ubuntu is based on Debian. So updates in Debian filter through to Ubuntu usually upon the following Ubuntu release.
[17:25] <mali`aweeh> ya, that is an upstream bug though I think. kernel code is erronous.
[17:26] <kraut> mali`aweeh: did you mean me?
[17:26] <mali`aweeh> ya
[17:26] <kraut> mali`aweeh: ah, thanks for the tip. do you got any bug id?
[17:26] <kraut> or anything else where i can look?
[17:27] <mali`aweeh> ya I know rbasak but with all the users ubuntu took on from debian and given it is a company which also offers server professional support, one would think it wasn't like just hacking debians stuff again :p but what do I know. that's why I was asking :) anyway, dog walkie time.
[17:27] <rbasak> mali: once a release is made, it generally isn't changed to keep it stable. This is the same as Debian and most other distributions. Arch is an exception
[17:27] <mali`aweeh> ye but you do patch security updates though through right?
[17:27] <rbasak> mali`aweeh: yes, and bugfixes are backported as well
[17:28] <mali`aweeh> so I agree, one wouldn't get the upstream version fix but
[17:28] <mali`aweeh> ya.. ok cool.
[17:28] <kraut> oO
[17:28] <rbasak> mali`aweeh: usually bugfixes are backported on request
[17:28] <mali`aweeh> I would expect perhaps a patch
[17:28] <rbasak> mali`aweeh: see https://wiki.ubuntu.com/StableReleaseUpdates for details of the policies and process
[17:28] <jdstrand> mali`aweeh: we have a team dedicated to providing security support for ubuntu. it is separate from the bug fix updates you initially asked about
[17:28] <mali`aweeh> ok good. so my initial question then, which was:
[17:28] <mali`aweeh> got ya jdstrand : and that is a paid service yes?
[17:29] <jdstrand> mali`aweeh: no. it is free
[17:29] <rbasak> mali`aweeh: no, it's not paid.
[17:29] <rbasak> mali`aweeh: you can follow the process yourself
[17:29] <jdstrand> mali`aweeh: fyi, https://wiki.ubuntu.com/SecurityTeam/FAQ
[17:30] <mali`aweeh> Nice.. thanks
[17:31] <mali`aweeh> so in general, say I find N patches to perform locally, which some are low/,edium priority , is it better to lock down my system for updates since I am patching myself?
[17:32] <mali`aweeh> thats the final question.. since there is info on this page
[17:32] <rbasak> mali`aweeh: if you do that you'll miss out of security and stable updates
[17:33] <rbasak> mali`aweeh: the best thing to do is to supply the patches and get them sponsored. If they conform to policy then they'll go in.
[17:33] <mali`aweeh> ye I know. that is why I am not sure what happens, if I still make locally patched versions of packages, and then wish to update other downstream fixes
[17:34] <rbasak> mali`aweeh: you can control the version number of your own packages, and you can use apt pinning to avoid getting updates for particular packages if you want
[17:34] <rbasak> mali`aweeh: you might want to look into PPAs as well
[17:34] <rbasak> https://help.launchpad.net/Packaging/PPA
[17:35] <mali`aweeh> okidokie. Well. In that case, I will patch it for now locally. repackage it. lock it. then continue ldap and all the other horsepulling mauling setup of stuff! :)
[17:35] <mali`aweeh> thanks for the help and time.
[17:36] <rbasak> no problem
[17:45] <raubvogel> If I am not mistaken, when you want to see the cert for a ldap server, you usually would do something like openssl s_client -connect ldapserver.domain.com:636 -showcerts
[17:45] <raubvogel> But, what if the ldap server only supports tls instead of ldaps?
[17:45] <mali`aweeh> I just find it funny now one has set up ldap on ubuntu server for 3 months or so, asking for this to be patched :p can confirm the old password thing still fails manually. i.e. the patch is needed. I will post it tonight if i ever get the time, sigh.
[17:57] <rbasak> mali`aweeh: I think ldap being fairly enterprisey is mainly used on the LTS release. Is this patch required there?
[17:58] <phretor> I've set the hard/soft nofile limits for my user into /etc/security/limits.conf but ulimits -n keeps displaying the default value (1024): Any clue?
[18:07] <mali`aweeh> rbasak, actually, true.. I am waiting for the new lTS release... and indeed I am using the oneirc as a testbed till it is out. I was just curious thought about the process, given the LTS releases still follow the same principles, right?
[18:07] <mali`aweeh> As I am waiting for new servers anyway in about a monnth, which I with a little hope. will coincide more or less with the new LTS
[18:08] <mali`aweeh> and I do have the 10.04 in a vm from yesterday , I could check but for now, I am not gonna get around to do anything for a few hours
[18:11] <mali`aweeh> rbasak, nevermind, I will patch it myself either tonight or tomorrow *as I need to refresh the debian packaging system anyhow* and in precise it will be fixed (I will chuck in a report on it if there isn't)
[18:27] <smoser> utlemming, i dont think that apt retry would change much.
[18:28] <utlemming> yeah, that's what my testing is proving
[18:28] <smoser> i'm not sure whether or not it will retry on a 403, and that is the only remotely "retryable" tihng
[18:28] <smoser> s/thing/error wer're seeing/
[18:43] <utlemming> smoser: http://paste.ubuntu.com/871898/
[18:44] <utlemming> smoser: if you fetch the file via wget/curl, its okay, while if you fetch via apt, it fails
[18:44] <smoser> but is that reproducible ?
[18:44] <smoser> ie, does it fial again for apt ?
[18:45] <smoser> or was it just transient and you not lucky with wget/curl
[18:45] <utlemming> I'm getting the failure consitantly on my instance now
[18:45] <smoser> can i come in ?
[18:45] <utlemming> I can reproduce it will....yup, give me a minute
[18:46] <utlemming> smoser: dns pinged to you privately
[18:46] <utlemming> apt is configured in debug mode
[18:47] <smoser> run by
[18:47] <smoser> run byobu, utlemming
[18:47] <smoser> and showme
[18:48] <utlemming> see the 403?
[19:03] <rbasak> thanks mali`aweeh. If you're not planning on deploying things in production until 12.04 is out, you might consider using 12.04 as your testbed now instead of oneiric. It's in beta, past feature freeze, it's mostly there apart from bugfixes, and that way you'll have an opportunity to get bugs that affect you fixed much more easily.
[19:31] <adam_g> smoser: yeah, same errors across different instance types too ive got nova-compute on one node, glance and everything else on another.
[19:31] <smoser> http://paste.ubuntu.com/871947/
[19:32] <smoser> and
[19:32] <smoser> http://paste.ubuntu.com/871940/
[19:32] <mali`aweeh> rbasak, in fact, that is a very good idea.
[19:32] <smoser> in yours (second one), it seems to me that init in the ramdisk must be failing *very* early
[19:33] <mali`aweeh> back, by the way. Grrr, I have installed a server now for the 5th time in 7 days hehe. but how long would you say till 12.04 is out? mid april?
[19:34] <adam_g> smoser: can you pastebin the libvirt template for the instance?
[19:34] <smoser> mali`aweeh, https://wiki.ubuntu.com/PrecisePangolin/ReleaseSchedule?action=show&redirect=PreciseReleaseSchedule
[19:34] <smoser> adam_g, that is from canonistack, so no, i cannot.
[19:34] <adam_g> ah
[19:35] <smoser> adam_g, can i get at your instance ?
[19:35] <mali`aweeh> ok end of april
[19:35] <smoser> er...
[19:35] <smoser> at your host
[19:35] <smoser> mali`aweeh, it will release on the 25th of april
[19:35] <smoser> ubuntu releases arrive on time
[19:35] <mali`aweeh> hmm, its pushing it for me but I might as well though run it and see if I can follow through.
[19:35] <mali`aweeh> ye, for me it doesn\t matter if its beta or oneiric atm so sure, am downloading now.
[19:35] <adam_g> smoser: ehh not really without a bit of work
[19:36] <smoser> mali`aweeh, wait. sorry, 26th.
[19:36] <uvirtbot`> New bug: #948320 in postfix (main) "main.cf should not refer to localhost" [Undecided,New] https://launchpad.net/bugs/948320
[19:36] <uvirtbot`> New bug: #948323 in ipxe (main) "Rom images for e1000 and ne2k missign vendor and device id" [Low,New] https://launchpad.net/bugs/948323
[19:37] <mali`aweeh> ya tis ok. I was hpoing to go live more around 14/15th but then again, I can't afford redundancy in servers enough to run arch *which I admit would be my preference* , besides, I need to reteach myself deb* style managment again
[19:38] <mali`aweeh> but I shall rarely ever forgive the desktop attempt of forcing unity on old timers ,p
[19:38] <lamont> I'm inclined to call 948320 a configuration error: localhost had better be resolvable
[19:39] <_ruben> and localhost is ::1 as well ;)
[19:39] <_ruben> and not being able to resolve localhost is indeed, well, atlteast troublesome :)
[19:40] <SpamapS> several RFC's require localhost to be resolvable and always treated specially
[19:40] <smoser> adam_g, so you have the fifo patch from rbasak ?
[19:40] <smb> smoser, note above ipxe bug. I think the quicker fix could be in xen (I am working on another report for that). KVM itself seems to work differently, so it does not seem to require the pci id in the rom header.
[19:42] <smoser> adam_g, you're in the initramfs at this point
[19:42] <smoser> so you might be able to reproduce just using the initramfs and kernel (kvm -kernel -initramfs -apend)
[19:42] <smoser> but i don't know.
[19:42] <smoser> as it seems to me like it is racy
[19:42] <smoser> you are using the fifo output ?
[19:45] <adam_g> smoser: adding --no-log to kernel parameters fixes it
[19:46] <adam_g> smoser: https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/936667
[19:46] <smoser> adam_g, i don't know that i understand (or believe) that :)
[19:46] <uvirtbot`> Launchpad bug 936667 in upstart "Upstart early job logging causes boot failure for systems with no initramfs (error is "No available ptys")" [High,Confirmed]
[19:47] <smoser> well, maybe now i believe it
[19:47] <zul> smoser: heh
[19:47] <smoser> but how did you get no initramfs
[19:47] <smoser> ?
[19:48] <adam_g> smoser: no idea, just gave that a shot when i had a libvirt domain manually defined. adding it to the nova xml template gets me a booted instance
[19:49] <smoser> that doesn't make sense.
[19:49] <smoser> oh.
[19:49] <smoser> i see.
[19:49] <smoser> you registered a kernel
[19:49] <adam_g> smoser: http://paste.ubuntu.com/871975/ same instance
[19:49] <smoser> not disk image, but kernel.
[19:49] <smoser> ie, you used the tarball
[19:50] <adam_g> smoser: i extracted and used glance add..aki, glance add..ami
[19:50] <smoser> right.
[19:50] <smoser> so generally, you dont want to do that :)
[19:50] <smoser> its good you found this bug, but you really want the .img file, not the .tar.gz file.
[19:51] <adam_g> smoser: well, in theory that should work just as well as any other method, no?
[19:51] <smoser> well...
[19:51] <smoser> you want the .img file.
[19:52] <smoser> because it is a "full disk image" whereas inside the .tar.gz file there is only a partition image (or, rather a un-partitioned disk image).
[19:52] <smoser> the issue with the second is that there is no bootloader installed, so you have to supply a kernel
[19:52] <smoser> and in doing so, you will not be able to 'apt-get dist-upgrade && reboot' and get a new kernel.
[19:52] <smoser> ie, if you do, you'll reboot into that old kernel that you registered with.
[19:52] <adam_g> right
[19:53] <smoser> but yeah, other than that, it "should work"
[19:53] <smoser> :)
[19:54] <adam_g> smoser: whats the workflow for upload the .img?  just 'glance add container_format=ami disk_format=ami < foo.img' with no aki specified?
[19:54] <smoser> i have to look in devstack.
[19:54] <smoser> cloud-publish-image ....
[19:54] <adam_g> ok
[19:54] <smoser> or cloud-publish-ubuntu
[19:55] <adam_g> ill check. i didnt know devstack did anything other than what i was doing
[19:55] <smoser> (you are more than welcome to make those 2 commands use glance and shortcut the ec2 api)
[19:56] <smoser> adam_g, you're right
[19:56] <smoser> glance add -A $SERVICE_TOKEN name="${IMAGE_NAME%.img}" is_public=true container_format=ami disk_format=ami ${KERNEL_ID:+kernel_id=$KERNEL_ID} ${RAMDISK_ID:+ramdisk_id=$RAMDISK_ID} < <(zcat --force "${IMAGE}")
[19:56] <smoser> adam_g, in essex is there a reasonable expectation that the above would be doable by a non-admin user ?
[19:57] <adam_g> smoser: yes, you dont need to be an admin to use the glance client.
[19:57] <smoser> if so, and we had bug 928378 fixed, then we could easily make cloud-publish-image upload to glance.
[19:57] <uvirtbot`> Launchpad bug 928378 in glance "glance client should be separate from server" [Medium,New] https://launchpad.net/bugs/928378
[19:58] <adam_g> smoser: AFAIK, in theory the images a regular user publishes are accessible by users associated with its tenant, unless is_public=true.
[19:58] <adam_g> ill check on that, though.
[19:58] <smoser> we'd just have to make bucket optional if nova path was taken (ie, normally it requireds 'arch, image, bucket' as inputs)
[19:59] <smoser> adam_g, i would like to do this.
[19:59] <smoser> as it would make people able to use 'cloud-publish-image' or 'cloud-publish-tarball' as a consistent'ish interface.
[19:59] <adam_g> smoser: im gonna get something to eat, get the regular .img published through glance w/o using any utils. i want to verify what i just said about users/tenants, too
[20:00] <adam_g> smoser: isn't glance client part of glance-common?
[20:00] <adam_g> (which alone doesn't pull in either server)
[20:00] <smoser> $ dpkg -S `which glance`
[20:00] <smoser> glance-common: /usr/bin/glance
[20:00] <smoser> it appears to be now.
[20:01] <soren> Doh.
[20:01] <soren> Oh, that's the client?
[20:01] <smoser> yeah.
[20:01] <soren> s/Doh//
[20:01] <smoser> so thats a good thing.
[20:01] <soren> Yeah.
[20:01] <adam_g> it perhaps should be seperated into its own package though
[20:01] <smoser> but 'glance-client' would be better.
[20:01] <smoser> yeah.
[20:01] <adam_g> glance-common should contain common dependencies for the servers, not the client
[20:02]  * adam_g lunch
[20:06] <zul> agreed
[20:17] <smb> zul, smoser, bug 948333 (I tried to be helpful by providing a debdiff ;))
[20:17] <uvirtbot`> Launchpad bug 948333 in xen "Xen: pxeboot for e1000 emulation not working" [Medium,In progress] https://launchpad.net/bugs/948333
[20:18] <zul> smb: ill get to it tonight
[20:18] <smb> zul, Cool, make sure I did not mess up any formalities (changelog and style) its kinda latish
[20:19] <zul> smb: ack
[20:19] <smoser> smb, thank you. zul thank you.
[20:43] <uvirtbot`> New bug: #939766 in nova "python-novaclient flavor-list is broken against nova diablo/stable" [High,Fix released] https://launchpad.net/bugs/939766
[20:51] <zul> bbl
[21:07] <Daviey> smb: Great contribution !!
[21:08] <Daviey> smb: I am suprised xen is still using etherboot, i thought we switched over to ipxe
[21:29] <utlemming> smoser: I found the cause of the S3 Hashsum/Size mismatch: Bug 948461
[21:31] <robbiew> SpamapS: https://bugs.launchpad.net/ubuntu/+source/chef/+bug/948437
[21:31] <robbiew> https://bugs.launchpad.net/ubuntu/+source/ohai/+bug/948438
[21:32] <robbiew> ...and boom goes the dynamite :/
[21:32] <smoser> utlemming, that doesn't make any sense.
[21:32] <smoser> packages.bz2 shows python-defer has md5sum of 3653165af1f20a437a14632ce0a2e6c2
[21:33] <smoser> but the 'Get:65' showed that 'aptdaemon' had that
[21:33] <SpamapS> robbiew: ACK
[21:33] <smoser> and per 'md5sum *' , xul-ext-ubufox_2.0-0ubuntu1 had that!
[21:33] <utlemming> smoser: yup
[21:33] <utlemming> smoser: I'll let you take a look at the evidence
[21:36] <smoser> that just seems like a really unlikely race condition.
[21:36] <smoser> i dont trus the log output
[21:36] <smoser> as it could just be serialized badly
[21:36] <smoser> but the file you have on disk there definitely seems to have different content than its name implies
[21:36] <utlemming> I've ping you the DNS name
[21:47] <smoser> utlemming, i'm just trying to think of how that could happen.
[21:48] <utlemming> smoser: I'm pulling the code now to see if I can make heads or tails of it
[21:49] <smoser> uless you're lying to me, and you must renamed those files as a joke, i have no idea what would do that :)
[21:49] <utlemming> lol
[21:49] <utlemming> believe me, I wish it was _that_ simple
[22:15] <smoser> utlemming, how does htis fail?
[22:15] <utlemming> smoser: this one is either a hashsum or size mismatch
[22:15] <smoser> you attached the wrong file in comment 2
[22:15] <smoser> (you attached a screenshot)
[22:16] <smoser> please do attach the output correctly there.
[22:16] <smoser> and then also, see if you can't reproduce on oneiric
[22:16] <utlemming> lol that was entertaining
[22:17] <smoser> or even, try installing oneiric apt on precise and see.
[22:17]  * utlemming tries replicating with oneiric
[22:17] <smoser> and have you actually seen this on non-s3 mirrors ?
[22:17] <utlemming> I have, but _very_ rarely
[22:17] <smoser> fyi, you can potentially short cut this with --download-only for apt
[22:18] <smoser> (assuming it goes through the file checks in that path)
[22:18] <smoser> utlemming, https://bugs.launchpad.net/linaro-android-infrastructure/+bug/932088 bug they're not on precise.
[22:19] <smoser> so either that is not related to this, or they are seeing in on natty even.
[22:19] <smoser> anyway.
[22:19] <smoser> i've got to run.
[22:19] <utlemming> k, I'll see where I can replicate this
[22:19] <smoser> good sleuthing, utlemming
[22:20] <smoser> you should maybe tag bugs that have mention of the ec2 mirrors with a given tag
[22:20] <smoser> so we can remember them easily
[22:20] <smoser> utlemming,
[22:20] <utlemming> ec2-s3-mirrors
[22:20] <smoser> well, i'd skip 's3-mirrors'
[22:20] <smoser> er...
[22:20] <smoser> skip 's3'
[22:20] <smoser> but i dont know
[22:20] <smoser> i just want to see the others too
[22:21] <smoser> maybe tag for that too
[22:21] <utlemming> "all-hail-smoser"?
[22:21] <smoser> exactly