/srv/irclogs.ubuntu.com/2012/03/20/#ubuntu-server.txt

SpamapS	sbeattie: ugh.. the 5.5 test suite doesn't seem to want to be run out of tree. Probably will have to patch it a lot. :-P	00:08
SpamapS	sbeattie: oh wait.. hah.. no.. the problem is that mysql-testsuite is no longer a meta-package in 5.5 .. so installing it pulls in 5.1's test suite	00:11
sbeattie	SpamapS: oh! Haha.	00:12
* sbeattie sighs.		00:12
SpamapS	sbeattie: my bad. ;) I'll fix that in the upcoming 5.5.21 upload	00:12
sbeattie	SpamapS: thanks, appreciate you digging into it.	00:12
SpamapS	Still waiting for upstream to confirm that they do not believe it is safe to have a dynamically linked /usr/bin/mysql	00:12
uvirtbot	New bug: #959856 in mod-wsgi (main) "installing mod-wsgi doesn't create link in /etc/apache2/mods-enabled" [Undecided,New] https://launchpad.net/bugs/959856	01:26
uvirtbot	New bug: #959864 in samba (main) "/etc/init.d/smbd is missing LSB information" [Undecided,New] https://launchpad.net/bugs/959864	01:40
hallyn	jjohansen: jdstrand: is there a sort of aa_get_profile() to complement aa_change_profile()?	02:50
hallyn	really i just want to know if i'm confined.	02:50
hallyn	(and if not, not try to transition)	02:50
jjohansen	hallyn: yes see man aa_getcon	02:59
hallyn	jjohansen: thanks!	02:59
jjohansen	hallyn: note aa_get_peercon will only return an error atm because socket labeling isn't implemented yet	03:00
jjohansen	hallyn: also technically you are getting the context, which could be more than a profile, but since stacking isn't yet supported it is currently only a profile	03:02
jjohansen	also the profile name "unconfined" will indicate no confinement	03:02
jjohansen	hallyn: there should also be perl, python, and ruby bindings for those fns	03:03
sp4z	hi is how do i change the resolution on my ubuntu server?	04:09
hallyn	jjohansen: thanks. i only need c, and only want to check if i'm unconfined (if a transition failed)	04:24
hallyn	jjohansen: hm, seems aa_onexec requires a different transition perm than aa_change_context	04:39
hallyn	and http://wiki.apparmor.net/index.php/AppArmorAPIs uses wrong name (aa_onexec_profile)	04:43
hallyn	all right i guess lxc will use aa_change_profile() for now. it'll work, though it's not really "correct"	04:44
=== JanC_ is now known as JanC
jjohansen	hallyn: hrmm, sorry about the wiki, its uhmm about the last documentation to get updated, I'll make sure it gets a refresh for those. change_onexec does use a slightly different variation to the change_profile perm. I look and see why it isn't working	05:24
blendedbychris	is there a quick way to tunnel a request on a specific port through a ubuntu box/	06:16
SpamapS	blendedbychris: ssh -L or ssh -D	06:16
SpamapS	blendedbychris: or ssh -R if you want to go from the remote to your local machine	06:16
blendedbychris	SpamapS: can that watch for any application though that tries to use port 389 for instances	06:18
blendedbychris	instance*	06:18
SpamapS	blendedbychris: no, thats just a quick and dirty tunnel.. you'd have to tell the app to use the tunnel	06:18
SpamapS	blendedbychris: if you want an IP level tunnel.. openvpn is pretty simple	06:19
blendedbychris	what do you call the "middle" node? the proxy?	06:20
blendedbychris	the openvpn method might work if i could set some arbitrary hostname	06:20
blendedbychris	so ldap://proxy:389 -> 50.32.111.22 (my proxy) -> ldap://10.32.33.53:389	06:21
=== bladernr_afk is now known as bladernr_
SpamapS	blendedbychris: yeah, you could just use ssh for LDAP with 'ssh -L 389:10.32.33.53:389 50.32.111.22'	06:30
SpamapS	blendedbychris: but that would only work if you did that on every client	06:31
SpamapS	blendedbychris: for openvpn you're basically setting up an IP tunnel, so it gets more complicated	06:31
blendedbychris	SpamapS: are you pretty familiar with ldap?	06:32
blendedbychris	i'm kinda naive in the subject…	06:32
blendedbychris	does the standard ldap:// protocol have encryption at all?	06:32
blendedbychris	this really just solves half the problem is what i'm getting at … that internal server needs to be encrypted too ideally	06:33
SpamapS	blendedbychris: LDAP can use STARTTLS to do encryption, or you can run it fully wrapped in SSL as 'ldaps' which runs on port 636	06:34
SpamapS	blendedbychris: depends on what your clients support. Most modern ones can do starttls	06:34
blendedbychris	client meaning the app requesting say an ldap search?	06:35
SpamapS	blendedbychris: righ	06:39
blendedbychris	SpamapS: gotcha… currently it looks like i am only able to connect via plaintext…	06:46
blendedbychris	if i force TLS i get TLS: peer cert untrusted or revoked (0x42)	06:46
blendedbychris	running ldapsearch -h 10.1.50.211 -p 389 -ZZ -d5 -b "" -s base "(objectClass=*)"	06:47
blendedbychris	not sure if i've set my certs up properly though	06:48
SpamapS	blendedbychris: looks like no	06:48
twb	FFS	06:49
SpamapS	blendedbychris: probably not trusted. Thats why people avoid end-to-end SSL.. its a nightmare to manage :)	06:49
blendedbychris	do i have to grab the cert from the ldap server?	06:49
twb	"Customer, you need to enable 88 and 464 from AD to your test VM for me to set up krb on it" "Them, I opened 88 and 464, what was your IP again?"	06:49
twb	IOW I think they just opened their krb to the internet :-/	06:49
blendedbychris	too many acronyms	06:50
blendedbychris	brain imploded	06:50
SpamapS	blendedbychris: this is a twinkie.. it represents the normal bad security energy on the internet for any one entity. Now, imagine a twinkie roughly the size of manhattan.	06:58
blendedbychris	ugh	06:59
blendedbychris	i'm ignoring that	06:59
blendedbychris	tcpdump… how do i make it output the actual data instead of just the summary ?	06:59
blendedbychris	haha	07:01
blendedbychris	love it	07:01
twb	SpamapS: where is that quote from?	07:02
twb	Ghostbusters?	07:02
blendedbychris	with TLS should I see unencrypted data in tcpdump?	07:04
twb	blendedbychris: only the word "STARTTLS"	07:06
blendedbychris	twb: thanks	07:06
twb	blendedbychris: well that and maybe a EHLO or HELO or whatever, depends on the protocol	07:07
blendedbychris	well definatly not the password right heh?	07:07
twb	blendedbychris: you're using 389?	07:07
blendedbychris	yes	07:07
twb	Port 389 I mean	07:07
twb	OK so that's starttls	07:07
twb	the ldaps port is assumed to be TLSd from the get-go	07:07
blendedbychris	wait what?	07:08
twb	There are two ways of doing TLS. Either you use the plaintext port and start every conversation with "quick turn on TLS!" or you use a dedicated port.	07:08
SpamapS	twb: yes that was ghostbusters :)	07:08
twb	e.g. smtps. imaps, ldaps are dedicated ports	07:08
twb	SpamapS: good because I couldn't find the bloody quote... stupid ddg	07:08
SpamapS	it was really badly botched	07:09
twb	http://en.wikiquote.org/wiki/Ghostbusters	07:09
blendedbychris	i have a more important question… who the hell would enable 389 and not force starttls?	07:09
twb	SpamapS: no kidding	07:09
twb	blendedbychris: lazy people	07:09
SpamapS	Well, let's say this Twinkie represents the normal amount of psychokinetic energy in the New York area. Based on this morning's sample, it would be a Twinkie... thirty-five feet long, weighing approximately six hundred pounds.	07:09
twb	I think I'm still doing it at some prisons	07:09
blendedbychris	is it typical to run 686 with starttls?	07:10
twb	blendedbychris: you can't run starttls on 636	07:10
twb	That only takes tls	07:10
blendedbychris	gotcha	07:10
blendedbychris	does this sound right… i'm asking my it dudes for the public cert and an account that has access to "poll" the directory	07:17
blendedbychris	query the directory?	07:17
twb	They should have a certificate hierarchy, and you should add their CA cert to your trusted cert list	07:21
blendedbychris	isn't that what i'm asking for?	07:21
blendedbychris	their public ca cert?	07:21
twb	If they are stupid and lazy, instead of having a cert hierarchy, they will have self-signed certs everywhere, in which case you ask specifically for the cert they're using for LDAP	07:21
twb	certs are always "public"; they're just public keys signed by other keypairs	07:22
blendedbychris	okay so what's the smartest way i can ask heh	07:22
twb	What are you actually trying to achieve?	07:22
blendedbychris	get the cert and probably have them make another account to query ad	07:22
blendedbychris	so i can use starttls	07:23
blendedbychris	on some web server we run externally	07:23
blendedbychris	currently we have an internal web server that is performing queries in plaintext	07:23
twb	So ACTUALLY what is happening is you have a working AD LDAP/krb infrastructure, and you have a new httpd, and you want people to be able to log into web apps under the new httpd using their existing AD accounts?	07:24
blendedbychris	correct	07:24
twb	And everything is working except it's not encrypting the LDAP conversation?	07:24
blendedbychris	well i am about to add another httpd that isn't even hosted internally so starttls is a must	07:25
blendedbychris	but yes	07:25
twb	OK	07:25
twb	The new httpd is running Ubuntu 10.04?	07:26
blendedbychris	ya	07:26
twb	And is it apache, or what?	07:26
blendedbychris	nginx	07:26
twb	OK, is nginx using PADL libpam_ldap, or what?	07:26
blendedbychris	php's whatever	07:27
blendedbychris	is the client	07:27
twb	Ugh	07:27
twb	Do you know the path to the ldap.conf that <whatever> is reading?	07:27
twb	e.g. is it /etc/ldap.conf or /etc/ldap/ldap.conf	07:28
blendedbychris	big ol guess that it's /etc/ldap/ldap.conf	07:28
twb	You need to know what LDAP client it's using and what config file to edit	07:28
twb	Ubuntu at a minimum has both the ones I just mentioned, used by different LDAP clients :-/	07:29
blendedbychris	let me double check	07:29
blendedbychris	it's using openldap	07:30
twb	On what do you base that conclusion?	07:30
twb	Actually an easy way to test it would just be to put bullshit in the suspected file, restart the app, and see if it is broken	07:31
twb	Looking at ldap.conf(5), it seems that you cannot say "always use starttls". You can either set an ldaps://... URI, in which case it uses tcp/636, or you can make sure the app issues a starttls by configuring the app.	07:32
twb	FWIW I just use ldaps, although the #openldap people didn't seem to like that	07:33
blendedbychris	ya	07:33
blendedbychris	everything i read it's "dated"	07:33
blendedbychris	whatever	07:33
blendedbychris	twb: i'm basing that conclusion on php manual i guess…. it mentions openldap	07:34
twb	http://paste.debian.net/160386/ is what my ldap.conf looks like; I symlink /etc/ldap.conf and /etc/ldap/ldap.conf together; the #openldap people hate that, too.	07:35
twb	Note that "ldap" resolves to my LDAP server, which listens on 636/tcp, and cyber.pem is my CA cert	07:35
blendedbychris	righto	07:36
blendedbychris	either way though i just need to ask for a the ca cert for ldap and an account to do queries	07:36
twb	IMO your first step is to make sure 636 is open	07:37
blendedbychris	why? i don't care to use ldaps i just want to use starttls	07:37
twb	18:32 <twb> Looking at ldap.conf(5), it seems that you cannot say "always use starttls". You can either set an ldaps://... URI, in which case it uses tcp/636, or you can make sure the app issues a starttls by configuring the app.	07:37
blendedbychris	hrm	07:38
blendedbychris	i see what you are saying	07:38
blendedbychris	the server needs to force starttls	07:38
twb	If you want to use starttls specifically, rather than "I want the traffic encrypted", then you'll need to ask #php for help	07:38
blendedbychris	imho	07:38
twb	blendedbychris: if the ldap server only allows starttls, then you'd have a non-working system AFAICT	07:38
blendedbychris	indeed	07:39
twb	The starttls request is issued by the client side	07:39
blendedbychris	i should have a non-working system because the system that is working is working in such a way that it shouldn't :)	07:39
twb	Either the libldap to use 636 which implicitly forces TLS, or ask #php or whatever how to force starttls	07:40
blendedbychris	okay…	07:40
blendedbychris	thanks… you have gone above and beyond my desired wishes	07:40
twb	Er, s/the/tell/	07:41
twb	Be grateful they don't want SPNEGO	07:41
sabgenton	if I install a dependency with dpkg -s bladep.deb then run apt-get install thing_that_needs_that_dep	07:58
sabgenton	will it pick up bladep?	07:58
uvirtbot	New bug: #959990 in ntp (main) "unnecessary ntpdate invokation" [Undecided,New] https://launchpad.net/bugs/959990	08:11
twb	sabgenton: use apt, not dpkg	08:12
sabgenton	twb: dude the very reason I'm asking this is for times when my package isn't in a repository	08:12
twb	You should tell your vendor to fix that	08:13
sabgenton	twb: or are you saying I can use apt on a .deb?	08:13
sabgenton	twb: I very much dought ubuntu is going to repo every thing I ask for	08:15
twb	If some random crack-head makes a .deb and doesn't know how to put it in an apt repo, it is probably not a good deb for you to install.	08:16
sabgenton	I think that's a bit rude to call someone who doesn't use debian or ubuntu a crack-head	08:19
twb	I'm not interested in your opinions.	08:19
sabgenton	twb: do I basicly have to make a PPA if I want a deb to be known to apt?	08:20
sabgenton	twb: sorry	08:20
greppy	sabgenton: not everyone is twb :) just because someone stuffs it into a repo doesn't magically make it better.	08:21
twb	sabgenton: this is a deb you made?	08:21
twb	greppy: better for the end users than gdebi, which will ignore Recommends and generally make a mess of things.	08:21
twb	greppy: but sure, putting it in apt won't make it better, but hopefully someone who knows how to do that, also knows how to use things like lintian	08:22
sabgenton	no I didn't make the .deb	08:23
sabgenton	and I don't really want to talk about one .deb because I have had countless times where there's something I want to install that is a .deb but not in a repo	08:24
sabgenton	greppy: Is PPA the only way to make apt happy	08:24
sabgenton	?	08:24
sabgenton	only decent way	08:24
twb	You shouldn't install such things because they're very likely to be crap quality and mess up your system	08:25
twb	webmin would be a textbook example; its deb has three critical errors and hundreds of minor errors	08:25
sabgenton	twb: even the deb in the ubuntu repos?	08:26
sabgenton	(webmins in the repos right)	08:26
twb	!webmin	08:26
ubottu	webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system.	08:26
sabgenton	heh ok	08:26
sabgenton	interesting did not know that	08:27
sabgenton	twb: so say I do make my own private package then	08:27
sabgenton	And I don't want to upload it to ubuntus repo	08:28
sabgenton	whats the best way to get it working with apt's dependency knowlage?	08:29
twb	Probably sbuild or pdebuild and reprepro	08:29
sabgenton	twb: ok, which is more preferable out of the two	08:30
twb	I haven't used sbuild before.	08:30
twb	I think pbuilder is "good enough"; sbuild is better but harder to get started with	08:31
sabgenton	wait do those tools just make .deb's	08:31
sabgenton	?	08:31
sabgenton	I'm asking how to make apt aware of them	08:31
twb	That's what reprorepo does. You upload .changes files to it using dcmd and it builds an apt repo	08:34
sabgenton	oh see	08:34
sabgenton	(sbuild or pdebuild) and reprepro	08:35
sabgenton	so the ones in paren's just make the package	08:35
twb	In a deterministic clean environment, yes.	08:35
sabgenton	twb: so with reprorepo I would make a repository on my localhost then just point /etc/apt/sources.list to it?	08:37
twb	Yes.	08:38
sabgenton	ok I guess I'll look at that	08:40
sabgenton	spose I was hoping there was an easy way to just make apt see a .dep in some sort of already made default repo on localhost	08:41
sabgenton	twb: thx for the help	08:54
lynxman	morning o/	09:26
jamespage	Daviey: rabbitmq	11:28
lynxman	jamespage: that's all needed to nag Daviey nowadays? :)	11:29
jamespage	lynxman:yep	11:29
Daviey	jamespage: yes, yes.. will do it today	12:05
Daviey	Sorry for being crap	12:05
jamespage	Daviey: no problemo	12:11
jamespage	Daviey, in all likelyhood I'm not sure its needs a FFe	12:11
jamespage	and we don't have to MIR the new packages...	12:12
ghatak	Looking for a lightweight monitoring ( preferably with history ) tool for a linux system. Don't want to use cactai/nagios etc. I want something that is quick and can monitor things like ( CPU, Memory, IO, Network ). Suggestion ?	12:12
iclebyte	ghatak, we use zabbix for this	12:13
ghatak	right let me checkzz thanks	12:13
iclebyte	just run a small agent on the remote host and let zabbix poll it. it stores historical data	12:13
iclebyte	we monitor about 40 hosts with it.	12:13
ghatak	rightoo	12:13
=== bladernr_ is now known as bladernr_afk
cloakable	Got my eye on a hifn hardware raid card for my server... would it benefit ubuntu server though?	12:25
jamespage	bencer_, all the zentyal source packages have now been accepted - they are just working their way through the binary NEW queue now	12:26
bencer_	jamespage: so the only thing needed to have them included is waiting the builders finish their work? :)	12:27
jamespage	bencer_, they have build but the new binary packages need to be accepted by the archive-admin's as well	12:27
bencer_	aha ok, cool	12:28
jamespage	bencer_, https://launchpad.net/ubuntu/precise/+queue	12:28
bencer_	jamespage: onces they hit the archive we should request the removal of ebox packages, right?	12:28
jamespage	bencer_, yes - I have a bug raised for that	12:29
* jamespage digs it out		12:29
jamespage	bencer_, bug 957109	12:30
jamespage	hmm - no bot today	12:30
jamespage	bencer_, https://bugs.launchpad.net/ubuntu/+source/ebox/+bug/957109	12:30
bencer_	jamespage: ok perfect	12:31
=== Jasonn is now known as juicy
uvirtbot	Launchpad bug 957109 in ebox "Please remove libebox, ebox and ebox-* packages from the precise archive" [Undecided,Incomplete] https://launchpad.net/bugs/957109	12:32
uvirtbot	Launchpad bug 957109 in ebox "Please remove libebox, ebox and ebox-* packages from the precise archive" [Undecided,Incomplete]	12:32
uvirtbot	New bug: #960144 in lxc (universe) "lxc-start failing to setup mounts" [Undecided,New] https://launchpad.net/bugs/960144	12:41
=== fenris is now known as Guest87935
zul	Daviey: can we rethink the nova console patch...its causes the testsuite to fail because the fifo stuff doesnt exist in the buildd	13:35
Daviey	zul: that is new?	13:49
zul	Daviey: no	13:49
zul	Daviey: just frustrating	13:49
=== bladernr_afk is now known as bladernr_
pabelanger	zul: I heard something about the Debian openstack team adding dbconfig-common support to nova and glance, do you know where that code lives? Or if it exists?	13:55
zul	pabelanger: http://anonscm.debian.org/gitweb/?p=openstack/$proj.git	13:56
zul	not swift though	13:56
pabelanger	Is the pkg-openstack team considered upstream for packaging or is ubuntu?	13:58
zul	pabelanger: for ubuntu we do our own packaging and we are kind of upstream as well	14:02
pabelanger	zul: I see, so we would never sync openstack from debian, is that safe to say?	14:02
zul	pabelanger: yes we had the packging done before them	14:04
pabelanger	zul: okay, I only ask because I have 2 reviews up for dbconfig-common support, but Debian has already added support. The patches take 2 different approaches, so I'll just wait and see how we want to move forward	14:05
zul	pabelanger: yeah i just got back from vacation so its in the queue im not so sure about adding dbconfig-common support to nova at this late in the cycle though	14:06
pabelanger	Understood, I was likely to late to the game to get it merged upstream. However, it does help with automated deployments. Worst case I'll have to package it locally	14:09
zul	pabelanger: ack	14:10
roaksoax	zul: do you have any examples that uses debconf questions for a 'select'?	14:42
zul	roaksoax: what do you mean?	14:43
roaksoax	zul: debconf questions that are of the type 'select'	14:43
zul	roaksoax: not off the top of my head	14:43
zul	postfix	14:43
roaksoax	zul: cool thanks	14:44
uvirtbot	New bug: #960262 in lxc (universe) "include an option to use aufs instead of overlayfs in lxc-start-ephemeral" [Undecided,New] https://launchpad.net/bugs/960262	14:50
Daviey	jamespage: does the rabbitmq requested upload have a PPA?	15:02
Daviey	i'd ike to point it to another upstream project to validate it.	15:02
uvirtbot	New bug: #960276 in nova (main) "a bad AMI can hang an entire compute node" [Undecided,New] https://launchpad.net/bugs/960276	15:06
jamespage	Daviey: no - but it can have one	15:28
SpamapS	jamespage: whats the situation on rabbitmq? I know 2.7.1 regressed the start/stop behavior.. anything else? Did I hear that there was a FFE needed for something?	15:36
jamespage	SpamapS, lynxman did some work to fold in the current plugin packages that are universe to rabbitmq-core	15:36
jamespage	it creates NEW binary packages from rabbitmq-server source	15:37
jamespage	I fixed up the start/stop behaviour	15:37
jamespage	but thats about it	15:37
SpamapS	Ah ok	15:39
Daviey	SpamapS: in hope of getting it in today, if it works out ok	15:39
Daviey	jamespage: does it have Breaks / Replaces?	15:39
lynxman	Daviey: it does :)	15:40
jamespage	Daviey, yes it does	15:40
Daviey	lynxman: cool	15:42
bencer_	jamespage: how long do you think will take zentyal hit the archive? the seems that from the docs team doesn't want to merge the doc until the packages are not in the archive...	15:47
jamespage	bencer_, they should land in the next day or so - the AA's review periodically	15:48
bencer_	ok thanks	15:48
hallyn	gary_poster: do you prefer I use the old aufs option ('-t\|--type'), or ('-U\|--union') ?	15:49
uvirtbot	New bug: #960336 in cloud-init (main) "grub-legacy-ec2 missing dependency: ucf" [Undecided,New] https://launchpad.net/bugs/960336	16:06
Daviey	SpamapS: meeting?	16:09
Daviey	utlemming: meeting?	16:09
gary_poster	hallyn, sorry was lunching. If -U does not take an argument, that makes sense to me.	16:13
gary_poster	-t is more future proof though, I suppose	16:13
gary_poster	IOW, hallyn, I don't have a string opinion. I guess at this instant in time, I'd lean towards -t, preferring the future-proof argument.	16:15
hallyn	-U would take aufs or overlayfs	16:20
hallyn	just as -t did	16:20
hallyn	-U just seems to be more obvious :) i was just wodnerng if anyone would be using -t in a script (from oneiric)	16:21
hallyn	gary_poster: ^	16:23
gary_poster	hallyn...not us, and this is a new script, so go with the more obvious choice	16:31
hallyn	ok	16:31
blendedbychris	i have a hyper-v server with a "synthetic" interface and a "legacy" interface i can't get the synthetic interface to show up	16:36
blendedbychris	any idea where to start ?	16:36
blendedbychris	supposedly this kernel has this driver	16:36
hallyn	jjohansen: to make /etc/apparmor.d/lxc/lxc-default be loaded at reboot, what should i do?	16:42
hallyn	(i'd have thought all files under /etc/apparmor.d just get loaded?)	16:42
jjohansen	hallyn: it should be unless its disabled. Is there a link in /etc/apparmor.d/disabled ?	16:43
hallyn	nope	16:43
jjohansen	hallyn: you can test what gets auto load with /etc/init.d/apparmor restart	16:43
hallyn	even if it's under a subdir?	16:43
jjohansen	hallyn: oh. no subdirs aren't auto-loaded	16:44
hallyn	ah	16:44
hallyn	so what shall i do?	16:44
hallyn	can i make a list somewhere?	16:44
jjohansen	hrmmm, jdstrand^ what do you think the best way to approach is	16:45
hallyn	gary_poster: d'oh, my test kernel doesn't have aufs. But I think lp:~serge-hallyn/ubuntu/precise/lxc/lxc-shutdownv2 should be enabling aufs for lxc-start-ephemeral. (and at least doesn't break overlayfs ones)	16:46
jjohansen	hallyn: sorry when it comes to packaging and ubuntu init I still find stuff that surprises me, jdstrand and kees handled most of that stuff	16:46
hallyn	jjohansen: thanks	16:46
gary_poster	hallyn, cool, getting and looking	16:47
jjohansen	hallyn: there are a couple things that can be done that I can think of. Drop a symlink in the top dir, drop an include dir in another profile file	16:47
=== duckydan_ is now known as duckydan
jjohansen	hallyn: is lxc-start in the main dir?	16:48
hallyn	yes	16:48
jjohansen	you could drop an include at the end of the file	16:48
jjohansen	just include the directory	16:48
hallyn	jjohansen: i suppose i can just leave them in the main dir. I just wanted to not pollute it too much	16:48
hallyn	?	16:48
jjohansen	any file in the directory would get included	16:48
jjohansen	so you can drop files in as you want	16:49
hallyn	#include "lxc/" ?	16:49
jjohansen	yep	16:49
hallyn	thanks will try	16:49
jjohansen	make sure the include is outside of the profile, just stick it at the end of the file	16:49
jjohansen	oh, hrmm that may mean modifying the included profile file	16:50
jjohansen	slightly so that it doesn't include the global abstraction stuff again, that has been on my list to fix for awhile but has been low priority	16:50
memoryleak	hi	16:51
hallyn	jjohansen: yeah i just noticed it's complaining about redefs	16:51
hallyn	redefinitions	16:51
jjohansen	yeah	16:52
hallyn	just made it a new empty file with only the #include :)	16:52
hallyn	thanks, i'll stop taking your time (cause i want that getcon fix :)	16:52
jjohansen	that will work	16:52
jjohansen	:)	16:52
gary_poster	hallyn, looks good, and I confirmed that it works with -U aufs here. The only issue I saw was because I already had another ephemeral running (because of the one-at-a-time aspect of lxc-wait). I'll run it through some more tests later, but +1 from me. Thank you!	16:55
hallyn	gary_poster: I may write a lxc-wait script to replace that	16:56
hallyn	I think I have to	16:56
gary_poster	that would be great, if sad that you have to do that	16:56
jdstrand	hallyn: sorry, did you get your question about policy loading during init answered?	17:00
blendedbychris	after i install ubuntu-desktop how do i remote into the gui?	17:01
jdstrand	hallyn: well, in case not, if you are shipping an upstart job, you can look at avahi-daemon.conf for inspiration. eg add something like:	17:03
jdstrand	pre-start script	17:03
jdstrand	/lib/init/apparmor-profile-load <subdir>/<profile>	17:03
jdstrand	end script	17:03
jdstrand	(note '<subdir>/<profile>' should not have '/etc/apparmor.d/' prepended	17:04
jdstrand	)	17:04
hallyn	jdstrand: what i'm doing right now is shipping a /etc/apparmor.d/lxc-containers which just has '#include <lxc>'. It's working	17:09
smoser	utlemming, if you poke at the locale stuff... i think profile.d could be made usable.	17:09
hallyn	jdstrand: if that's deemed less desirable, i'll change it, but it's working	17:09
utlemming	smoser: I've tested that profile.d code and it works	17:09
utlemming	smoser: even with the bash-isms, but yeah, I'll get that implement this week	17:10
jdstrand	hallyn: that would certainly work. it is a little odd in some ways, but is also nice in that anything else that gets dropped into /etc/apparmor.d/lxc will magically get loaded	17:10
hallyn	jdstrand: right - cool, thanks.	17:10
jdstrand	hallyn: can you paste the output of 'sudo aa-status' after having done that?	17:11
smoser	utlemming, well of course it will work in bash with bashisms.	17:11
smoser	but not if your shell is /bin/sh or zsh	17:11
smoser	profile.d probably has to be posix shell pure	17:11
hallyn	jdstrand: http://paste.ubuntu.com/892472/	17:11
jdstrand	hallyn: what are the contents of your /etc/apparmor.d/lxc directory?	17:12
hallyn	jdstrand: just /etc/apparmor.d/lxc/lxc-default right now	17:13
hallyn	(shipped with the package)	17:13
jdstrand	hallyn: and that has 'profile lxc-container-default ... {...}'?	17:13
hallyn	Recommendation in server guide will be to drop per-container profiles there if desired and manually load	17:13
hallyn	yes	17:13
jdstrand	hallyn: ok, so this will work. keep in mind that if containers start before the apparmor initscript is loaded, then things won't be confined	17:14
hallyn	jdstrand: actually they refuse to start then	17:14
jdstrand	hallyn: this is where the upstart job change would help	17:14
hallyn	jdstrand: lxc-start fails aa_change_profile() and bails	17:15
jdstrand	hallyn: ok, fair enough-- you might get a bug report about things failing to start	17:15
blendedbychris	i installed the package ubuntu-desktop … how can i remote access the gui?	17:15
blendedbychris	on server	17:15
blendedbychris	can i make it startx remotely?	17:15
hallyn	jdstrand: could be. I'm open to changing it to try and autoload, but i don't want to complicate it at this stage	17:15
hallyn	jdstrand: i'm not sure where upstart job would help with new profiles...	17:16
jdstrand	hallyn: you could fix that condition by adjust lxc-start to load the policy (like we discussed before), or use the upstart snippet I gave above to load /etc/apparmor.d/lxc-containers	17:16
jdstrand	hallyn: (which would use your #include lxc trick)	17:16
hallyn	jdstrand: I've missed something	17:17
jdstrand	hallyn: ok, the upstart job has:	17:17
jdstrand	pre-start script	17:17
jdstrand	/lib/init/apparmor-profile-load lxc-containers	17:17
jdstrand	end script	17:17
jdstrand	/etc/apparmor.d/lxc-containers contains:	17:17
jdstrand	#include <lxc>	17:18
hallyn	but lxc-containers gets loaded at start anyway... what does it gain to have it in upstart job?	17:18
hallyn	(being dense, not on purpose)	17:18
jdstrand	this has the benefit of loading whatever is in /etc/apparmor.d/lxc (like now), and you can make sure in the job that it gets started before something that uses lxc-start	17:18
hallyn	oh, cause there's no guarantee when /etc/init.d/apparmor runs?	17:19
jdstrand	hallyn: yes	17:19
hallyn	got it, thanks	17:19
jdstrand	it runs in rc 2	17:19
jdstrand	hallyn: anyhoo, food for thought. I'll let you decide what you want to do with all this info :)	17:20
hallyn	jdstrand: thanks. I'll do that. And like I say I do want to add attempts to laod policy if transition fails, but only after getcon issues are fixed.	17:20
hallyn	jdstrand: thanks, ttyl	17:20
jdstrand	hallyn: oh, one last thing: I suggest adding a clear comment in /etc/apparmor.d/lxc-containers as to what it is doing and why, so people know what is happening and aren't tempted to edit it	17:21
hallyn	good point. will do	17:22
newbchessplayer	i installed ubuntu server but cant get a gui working	17:23
newbchessplayer	i apt-get'ed gnome-shell	17:23
JanC	newbchessplayer: you probably also want a DM etc.	17:28
JanC	and Xorg, of course	17:29
JanC	newbchessplayer: but I suppose it's easier to install a regular desktop if you are new to this	17:29
newbchessplayer	dm?	17:29
JanC	something like XDM, GDM, LightDM, KDM, ...	17:29
newbchessplayer	what are they	17:30
JanC	they provide the graphical login screen etc.	17:30
newbchessplayer	yes that's what i need	17:31
JanC	but like I said: better install a desktop	17:31
newbchessplayer	ok	17:31
JanC	then you get all that out of the box	17:31
JanC	alternatively, there are several *-desktop metapackages that will install all you need for that particular desktop	17:32
newbchessplayer	what is fd0 read error?	17:33
newbchessplayer	floppy error	17:35
=== Lcawte\|Away is now known as Lcawte
kamal	Hi cloud people ... I've been getting experimenting with EC2 for a week or so, and I have a couple of technical questions about the "guest" AMI's that Canonical provides. Are the folks who construct those AMI's here perchance?	18:05
utlemming	kamal: yup...how can I lead you astray?	18:05
kamal	quite easily, I'm sure ....	18:06
kamal	first question: why is grub-pc even installed on the EC2 images? it looks to me like the only grub package EC2 actually needs/uses is grub-legacy-ec2	18:06
utlemming	kamal: correct. Even though the images in EC2 don't use the grub packages, the images that are generated can be downloaded from http://cloud-images.ubuntu.com and used in KVM, OpenStack and other virtual solutions. We try to produce generic images that are suitable for use on as many clouds as possiable.	18:07
kamal	utlemming: ok, got it	18:08
kamal	second question (maybe the same answer) ... why do the EC2 images run getty's on tty[1-6]?	18:08
utlemming	kamal: same reason...for general use else where	18:09
kamal	utlemming: ok, makes sense. last one (maybe ;-).... Do we provide a "super-minimal" cloud image? (I've constructed my own, but I'm curious).	18:11
utlemming	kamal: what do you mean by super-minimial? The images are built from the ubuntu-minimial and server patterns with the cloud-init packages put on to make them useable.	18:12
kamal	utlemming: I guess I mean an image which includes the very smallest set of packages that can be useful on a cloud-hosted VM. (I don't know anything about "ubuntu-minimal" or "patterns"). Even cloud-init isn't really necessary to construct a VM...	18:17
kamal	I.e. I have constructed a working (key-preinstalled) ubuntu EC2 AMI with just "debootstrap --variant=minbase" plus {linux-image-virtual, grub-legacy-ec2, isc-dhcp-client, openssh-server}	18:17
kamal	utlemming: so I guess I mean: do we (should we?) provide something like ^^^ that as a "minimal AMI"	18:18
utlemming	kamal: the reason we don't, is because there are problem with super-minimial images like that, in the respect that we need to provide enough tools to get the image workable. Cloud-init is a python package that handles on-boot customization, injects the keys, etc.	18:19
utlemming	kamal: what is the impitious for asking?	18:19
cwillu_at_work	kamal, if you need something stripped down, you're best of doing the stripping yourself	18:20
cwillu_at_work	there will always be something vital for you that somebody else doesn't ever use, and something they consider vital that you'd never touch	18:21
cwillu_at_work	alternatively: "Yes: the super minimal package is 'linux-image-3.3.0'"	18:21
cwillu_at_work	anything else you'd want, you can get from an initramfs you pull in over tftp	18:22
kamal	utlemming: ok, I understand that such an image wouldn't be interesting as a "cloud guest" image. my goal is to construct a lean-mean image to use as a compute-slave, and I want to avoid wasting precious microseconds or megabytes with unneeded pkgs or processes.	18:23
cwillu_at_work	kamal, did you read what I just wrote? :p	18:23
utlemming	kamal: smoser has a project called cirros that is stripped down cloud images (https://code.launchpad.net/~smoser/cirros/trunk)	18:25
kamal	cwillu_at_work: yup, but wanted to answer utlemming's question :-). I understand your advice also, thanks. Note that I'm not trying to construct an image which contains any packages that are "vital to me" though ... I'm interested in the set of packages that are "vital to boot".	18:25
cwillu_at_work	and what I said still applies	18:25
kamal	ah, smoser's project does appear to be about what I'm talking about	18:27
smoser	its not ubuntu.	18:27
smoser	its buildroot (uclibc)	18:27
kamal	smoser: well, I guess its at least the concept of what I'm talking about :-)	18:27
smoser	i'm curious why you're so interested in lean	18:28
kamal	smoser: because: why waste RAM and time with e.g. getty's?	18:28
smoser	you can probably stop them	18:29
smoser	for i in 1 2 3 4 5 6; do sudo stop $i; done	18:30
kamal	smoser: sure, but why start them at all?	18:30
smoser	in the end, anything that is wasting memory should be able to be turned off.	18:30
smoser	so then you're just wasting disk spae	18:30
smoser	space	18:30
smoser	i just find it a lot of effort for a little gain.	18:31
smoser	and if you really wanted to, you could supply cloud-init data that would not start those ttys	18:32
smoser	yes... then you'd pay the cost of code running to disbable them.	18:32
kamal	smoser: yup, now you're getting on my wavelength ;-) If I'm constructing an image for a dedicated compute-slave, which I'll run many many instances of, I think it makes much more sense to just leave unwanted stuff out of the image, as opposed to wasting the time/space to turn it off at boot.	18:34
kamal	the effort will be a one-time operation, but the gain will be multiplied by the N times the instance will be run. So I see lots of potential gain to optimizing there.	18:36
smoser	kamal, you're just simply going to spend a lot of time optimizing something and fixing bugs and pulling hair.	18:36
smoser	nothing is a one time operation.	18:36
kamal	smoser: well I guess I still have a bit of hair left to pull, so that sounds about right ;-)	18:39
kamal	anyway, utlemming, cwillu_at_work, smoser ... thanks for the answers and advice. I'll know where to come for further questions! :-)	18:39
smoser	well, if your systems spend most of their life starting and stopping, then you probably have some optimizations you can make.	18:39
smoser	if, however, you like to do other things than boot	18:39
smoser	then your % of time spent booting goes down quickly.	18:40
smoser	yes, 10 second boot on a laptop is nice, but if uptime is measured in days, 20 seconds wasn't so bad.	18:40
smoser	but anyway.	18:40
kamal	smoser: I imagine that for my application, the uptime of each system will be exactly 59 minutes (one EC2 time-chunk)	18:41
kamal	I haven't clocked anything, but I even wondered if maybe t1.micro CPU throttling might kick in during the boot process, such that it would actually be even more useful to strip down useless CPU-intensive stuff at boot.	18:42
smoser	well, then, you've given yourself a fairly good target for optimization:	18:42
kamal	(again, my only experience with cloud stuff at all is about 1 week playing with EC2)	18:42
smoser	(60 * 59 - 20) / (60 * 59) = .9943	18:42
smoser	so if you save 20 seconds in boot, you'll gain .005% cpu utilization	18:43
smoser	and i surely hope you can't save 20 seconds at goot	18:43
smoser	err... sorry . bad math. that is .5%	18:44
blendedbychris	which vnc server do i use if i want to allow windows users to use something like tightvnc to see the login screen?	18:47
blendedbychris	and login as their respective user	18:47
kamal	smoser: .5% is not entirely insignificant, I think, but its good to quantify it. maybe I'll run an actual boot speed test and really see if it makes even that much difference. again, thanks very much for the advice, this was a very useful discussion for me.	18:48
smoser	kamal, if you're interested in maximizing usefulness of time/$	18:50
smoser	then you will want tofind out the answer to something i have never figured out	18:50
smoser	(or never bothered to)	18:50
smoser	when does the clock start for your 60*60 on amazon	18:50
smoser	i suspect it starts when your request comes in, and they start doing IO on your part on their nodes.	18:50
smoser	you start booting at some point later	18:51
smoser	so that provisioning time is cost	18:51
kamal	smoser: I imagined that the clock started at moment that the instance goes from "pending" to "running" ... it wouldn't be fair for them to charge you for provisioning time, imho. I'll find out.	18:53
smoser	its easy to thikn that is no fair	18:53
kamal	yup	18:53
smoser	but in another sense it is	18:53
smoser	you're using their IO	18:53
smoser	or, rather, they're doing IO on your request	18:53
kamal	no, they are using their IO	18:53
kamal	yup.	18:53
smoser	why should you get free IO ?	18:53
kamal	imho, they charge me to "run the image". if their systems are slow and it takes them a long time to get my image to the "running" state, thats their problem, not mine (I can't do anything about it). As opposed to: if my system boots slow, then its my problem. Again, this is just my thinking. :-)	18:54
uvirtbot	New bug: #960500 in net-snmp (main) "net-snmp-config shift error" [Undecided,New] https://launchpad.net/bugs/960500	18:56
kamal	http://aws.amazon.com/ec2/faqs/#What_defines_billable_EC2_instance_hours :: Instance-hours are billed for any time your instances are in a “running” state.	18:57
kamal	smoser: ^^	18:57
smoser	ah.	18:59
smoser	well thats interesting.	18:59
smoser	but i dont know how you can get that.	18:59
blendedbychris	no one?	19:00
blendedbychris	is there not a vnc server app that works more like remote desktop?	19:00
smoser	kamal, http://paste.ubuntu.com/892613/	19:01
kamal	smoser: ec2-describe-instances shows a timestamp which I bet is the start time	19:01
kamal	hahaha	19:01
smoser	it is not	19:01
smoser	it is the request time	19:01
smoser	(as shown in that paste)	19:01
kamal	smoser: hmmm... curious. why do I care what my request time was? :-/	19:02
smoser	because its the billing start time :)	19:02
kamal	smoser: not per that FAQ though	19:03
smoser	yeah. i dont know.	19:03
cloakable	Anyone know how to combine fail2ban with remote logging?	19:07
Pici	cloakable: fail2ban appears to support logging to syslog, so you should be able to work with it from there.	19:10
cloakable	Yeah, but it wants to watch a logfile. Which presumably means running on the server accepting the logs.	19:11
cloakable	Which as far as I can tell with default configuration, means that someone trying to bruteforce my gateway will get banned on the logging server. Not useful.	19:12
cloakable	I suppose mounting the remote directory via nfs might work	19:16
maxagaz	hi	19:28
maxagaz	md5sum returns the md5 following by the file name, why not only the md5 ?	19:29
maxagaz	md5sum, is there some option to get only the md5, or only awk, cut... ?	19:30
bluefrog	md5sum without the name of the file in a list is pretty useless	19:32
marcoceppi	maxagaz: there isn't, in the ch_get_file method, when it calculates md5 sum it does md5sum <file> \| awk '{ print $1}'	19:33
=== dillydallyer__ is now known as newbchessplayer
zul	SpamapS: ping what do you think about https://bugs.launchpad.net/bugs/959426 (note we dont use mysql by default)	20:07
uvirtbot	Launchpad bug 959426 in nova "nova services start before mysql on boot" [Undecided,Confirmed]	20:07
SpamapS	zul: the age old problem. ;)	20:08
SpamapS	zul: these services should probably be more resilient to the database being unavailable and retry a few times.	20:09
zul	SpamapS: right but the upstart scripts for nova doesnt assumed that mysql is installed	20:09
SpamapS	zul: the upstart jobs are doing the right thing. Ignore the "on the same machine" bit. What if your data center goes down all at once? When you come back up.. you shouldn't have to remember what order to boot machines.	20:10
zul	right	20:10
SpamapS	we likely start mysqld and glance and nova all at the same time, on runlevel 2	20:10
zul	ok i can accept that	20:11
maxagaz	marcoceppi, ok, thanks	20:21
maxagaz	how to echo a tab ?	20:28
=== alaing is now known as funkymonk
maxagaz	echo -e "a\tb"	20:29
guampa	someone knows if postfix *_queue_lifetime can be tuned for specific smtp errors? I would want to set 2 days max for smtp 450 (mailbox unavailable)	20:44
gary_poster	hallyn, will lxc cause top to be confused about active processes in the container? I didn't expect so, but I'm seeing unexpected behavior (which may well be from other sources) that reports that only one process is active and the rest are idle. I have one active process in the host, but should have ~16 from 8 containers. my cpu usage info is also very low, according to top (>99% idle). Is any of this explainable	20:53
gary_poster	with lxc, or should I look elsewhere?	20:53
gary_poster	note that the container's processes are listed in top, it's just that are not shown as doing much	20:54
=== jvdz_ is now known as jvdz
soren	Daviey: Expect a keystoneconfig-common to appear out of nowhere soon. Should make integrating packages with Keystone a breeze.	21:51
Daviey	soren: that is awesome!!	21:56
Daviey	soren: Likely before Thurs?	21:56
soren	Daviey: It's almost done. I expect to finish testing it tomorrow.	21:58
soren	Daviey: There's probably half a million things I haven't thought about, but the other 27 things I did think about should be covered.	21:58
=== Lcawte is now known as Lcawte\|Away

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!