SpamapSsbeattie: ugh.. the 5.5 test suite doesn't seem to want to be run out of tree. Probably will have to patch it a lot. :-P00:08
SpamapSsbeattie: oh wait.. hah.. no.. the problem is that mysql-testsuite is no longer a meta-package in 5.5 .. so installing it pulls in 5.1's test suite00:11
sbeattieSpamapS: oh! Haha.00:12
* sbeattie sighs.00:12
SpamapSsbeattie: my bad. ;) I'll fix that in the upcoming 5.5.21 upload00:12
sbeattieSpamapS: thanks, appreciate you digging into it.00:12
SpamapSStill waiting for upstream to confirm that they do not believe it is safe to have a dynamically linked /usr/bin/mysql00:12
uvirtbotNew bug: #959856 in mod-wsgi (main) "installing mod-wsgi doesn't create link in /etc/apache2/mods-enabled" [Undecided,New] https://launchpad.net/bugs/95985601:26
uvirtbotNew bug: #959864 in samba (main) "/etc/init.d/smbd is missing LSB information" [Undecided,New] https://launchpad.net/bugs/95986401:40
hallynjjohansen: jdstrand: is there a sort of aa_get_profile() to complement aa_change_profile()?02:50
hallynreally i just want to know if i'm confined.02:50
hallyn(and if not, not try to transition)02:50
jjohansenhallyn: yes see man aa_getcon02:59
hallynjjohansen: thanks!02:59
jjohansenhallyn: note aa_get_peercon will only return an error atm because socket labeling isn't implemented yet03:00
jjohansenhallyn: also technically you are getting the context, which could be more than a profile, but since stacking isn't yet supported it is currently only a profile03:02
jjohansenalso the profile name "unconfined" will indicate no confinement03:02
jjohansenhallyn: there should also be perl, python, and ruby bindings for those fns03:03
sp4zhi is how do i change the resolution on my ubuntu server?04:09
hallynjjohansen: thanks.  i only need c, and only want to check if i'm unconfined (if a transition failed)04:24
hallynjjohansen: hm, seems aa_onexec requires a different transition perm than aa_change_context04:39
hallynand http://wiki.apparmor.net/index.php/AppArmorAPIs uses wrong name (aa_onexec_profile)04:43
hallynall right i guess lxc will use aa_change_profile() for now.  it'll work, though it's not really "correct"04:44
=== JanC_ is now known as JanC
jjohansenhallyn: hrmm, sorry about the wiki, its uhmm about the last documentation to get updated, I'll make sure it gets a refresh for those.  change_onexec does use a slightly different variation to the change_profile perm.  I look and see why it isn't working05:24
blendedbychrisis there a quick way to tunnel a request on a specific port through a ubuntu box/06:16
SpamapSblendedbychris: ssh -L or ssh -D06:16
SpamapSblendedbychris: or ssh -R if you want to go from the remote to your local machine06:16
blendedbychrisSpamapS: can that watch for any application though that tries to use port 389 for instances06:18
SpamapSblendedbychris: no, thats just a quick and dirty tunnel.. you'd have to tell the app to use the tunnel06:18
SpamapSblendedbychris: if you want an IP level tunnel.. openvpn is pretty simple06:19
blendedbychriswhat do you call the "middle" node? the proxy?06:20
blendedbychristhe openvpn method might work if i could set some arbitrary hostname06:20
blendedbychrisso ldap://proxy:389 -> (my proxy) -> ldap://
=== bladernr_afk is now known as bladernr_
SpamapSblendedbychris: yeah, you could just use ssh for LDAP with 'ssh -L 389:'06:30
SpamapSblendedbychris: but that would only work if you did that on every client06:31
SpamapSblendedbychris: for openvpn you're basically setting up an IP tunnel, so it gets more complicated06:31
blendedbychrisSpamapS: are you pretty familiar with ldap?06:32
blendedbychrisi'm kinda naive in the subject…06:32
blendedbychrisdoes the standard ldap:// protocol have encryption at all?06:32
blendedbychristhis really just solves half the problem is what i'm getting at … that internal server needs to be encrypted too ideally06:33
SpamapSblendedbychris: LDAP can use STARTTLS to do encryption, or you can run it fully wrapped in SSL as 'ldaps' which runs on port 63606:34
SpamapSblendedbychris: depends on what your clients support. Most modern ones can do starttls06:34
blendedbychrisclient meaning the app requesting say an ldap search?06:35
SpamapSblendedbychris: righ06:39
blendedbychrisSpamapS: gotcha… currently it looks like i am only able to connect via plaintext…06:46
blendedbychrisif i force TLS i get TLS: peer cert untrusted or revoked (0x42)06:46
blendedbychrisrunning ldapsearch -h -p 389 -ZZ -d5 -b "" -s base "(objectClass=*)"06:47
blendedbychrisnot sure if i've set my certs up properly though06:48
SpamapSblendedbychris: looks like no06:48
SpamapSblendedbychris: probably not trusted. Thats why people avoid end-to-end SSL.. its a nightmare to manage :)06:49
blendedbychrisdo i have to grab the cert from the ldap server?06:49
twb"Customer, you need to enable 88 and 464 from AD to your test VM for me to set up krb on it" "Them, I opened 88 and 464, what was your IP again?"06:49
twbIOW I think they just opened their krb to the internet :-/06:49
blendedbychristoo many acronyms06:50
blendedbychrisbrain imploded06:50
SpamapSblendedbychris: this is a twinkie.. it represents the normal bad security energy on the internet for any one entity. Now, imagine a twinkie roughly the size of manhattan.06:58
blendedbychrisi'm ignoring that06:59
blendedbychristcpdump… how do i make it output the actual data instead of just the summary ?06:59
blendedbychrislove it07:01
twbSpamapS: where is that quote from?07:02
blendedbychriswith TLS should I see unencrypted data in tcpdump?07:04
twbblendedbychris: only the word "STARTTLS"07:06
blendedbychristwb: thanks07:06
twbblendedbychris: well that and maybe a EHLO or HELO or whatever, depends on the protocol07:07
blendedbychriswell definatly not the password right heh?07:07
twbblendedbychris: you're using 389?07:07
twbPort 389 I mean07:07
twbOK so that's starttls07:07
twbthe ldaps port is assumed to be TLSd from the get-go07:07
blendedbychriswait what?07:08
twbThere are two ways of doing TLS.  Either you use the plaintext port and start every conversation with "quick turn on TLS!" or you use a dedicated port.07:08
SpamapStwb: yes that was ghostbusters :)07:08
twbe.g. smtps. imaps, ldaps are dedicated ports07:08
twbSpamapS: good because I couldn't find the bloody quote... stupid ddg07:08
SpamapSit was really badly botched07:09
blendedbychrisi have a more important question… who the hell would enable 389 and not force starttls?07:09
twbSpamapS: no kidding07:09
twbblendedbychris: lazy people07:09
SpamapSWell, let's say this Twinkie represents the normal amount of psychokinetic energy in the New York area. Based on this morning's sample, it would be a Twinkie... thirty-five feet long, weighing approximately six hundred pounds.07:09
twbI think I'm still doing it at some prisons07:09
blendedbychrisis it typical to run 686 with starttls?07:10
twbblendedbychris: you can't run *starttls* on 63607:10
twbThat only takes tls07:10
blendedbychrisdoes this sound right… i'm asking my it dudes for the public cert and an account that has access to "poll" the directory07:17
blendedbychrisquery the directory?07:17
twbThey should have a certificate hierarchy, and you should add their CA cert to your trusted cert list07:21
blendedbychrisisn't that what i'm asking for?07:21
blendedbychristheir public ca cert?07:21
twbIf they are stupid and lazy, instead of having a cert hierarchy, they will have self-signed certs everywhere, in which case you ask specifically for the cert they're using for LDAP07:21
twbcerts are always "public"; they're just public keys signed by other keypairs07:22
blendedbychrisokay so what's the smartest way i can ask heh07:22
twbWhat are you actually trying to achieve?07:22
blendedbychrisget the cert and probably have them make another account to query ad07:22
blendedbychrisso i can use starttls07:23
blendedbychrison some web server we run externally07:23
blendedbychriscurrently we have an internal web server that is performing queries in plaintext07:23
twbSo ACTUALLY what is happening is you have a working AD LDAP/krb infrastructure, and you have a new httpd, and you want people to be able to log into web apps under the new httpd using their existing AD accounts?07:24
twbAnd everything is working except it's not encrypting the LDAP conversation?07:24
blendedbychriswell i am about to add another httpd that isn't even hosted internally so starttls is a must07:25
blendedbychrisbut yes07:25
twbThe new httpd is running Ubuntu 10.04?07:26
twbAnd is it apache, or what?07:26
twbOK, is nginx using PADL libpam_ldap, or what?07:26
blendedbychrisphp's whatever07:27
blendedbychrisis the client07:27
twbDo you know the path to the ldap.conf that <whatever> is reading?07:27
twbe.g. is it /etc/ldap.conf or /etc/ldap/ldap.conf07:28
blendedbychrisbig ol guess that it's /etc/ldap/ldap.conf07:28
twbYou need to know what LDAP client it's using and what config file to edit07:28
twbUbuntu at a minimum has both the ones I just mentioned, used by different LDAP clients :-/07:29
blendedbychrislet me double check07:29
blendedbychrisit's using openldap07:30
twbOn what do you base that conclusion?07:30
twbActually an easy way to test it would just be to put bullshit in the suspected file, restart the app, and see if it is broken07:31
twbLooking at ldap.conf(5), it seems that you cannot say "always use starttls".  You can either set an ldaps://... URI, in which case it uses tcp/636, or you can make sure the *app* issues a starttls by configuring the app.07:32
twbFWIW I just use ldaps, although the #openldap people didn't seem to like that07:33
blendedbychriseverything i read it's "dated"07:33
blendedbychristwb: i'm basing that conclusion on php manual i guess…. it mentions openldap07:34
twbhttp://paste.debian.net/160386/ is what my ldap.conf looks like; I symlink /etc/ldap.conf and /etc/ldap/ldap.conf together; the #openldap people hate that, too.07:35
twbNote that "ldap" resolves to my LDAP server, which listens on 636/tcp, and cyber.pem is my CA cert07:35
blendedbychriseither way though i just need to ask for a the ca cert for ldap and an account to do queries07:36
twbIMO your first step is to make sure 636 is open07:37
blendedbychriswhy? i don't care to use ldaps i just want to use starttls07:37
twb18:32 <twb> Looking at ldap.conf(5), it seems that you cannot say "always use starttls".  You can either set an ldaps://... URI, in which case it uses tcp/636, or you can make sure the *app* issues a starttls by configuring the app.07:37
blendedbychrisi see what you are saying07:38
blendedbychristhe server needs to force starttls07:38
twbIf you want to use starttls specifically, rather than "I want the traffic encrypted", then you'll need to ask #php for help07:38
twbblendedbychris: if the ldap server only allows starttls, then you'd have a non-working system AFAICT07:38
twbThe starttls request is issued by the client side07:39
blendedbychrisi should have a non-working system because the system that is working is working in such a way that it shouldn't :)07:39
twbEither the libldap to use 636 which implicitly forces TLS, or ask #php or whatever how to force starttls07:40
blendedbychristhanks… you have gone above and beyond my desired wishes07:40
twbEr, s/the/tell/07:41
twbBe grateful they don't want SPNEGO07:41
sabgentonif I install a dependency with dpkg -s bladep.deb then run apt-get install thing_that_needs_that_dep07:58
sabgentonwill it pick up bladep?07:58
uvirtbotNew bug: #959990 in ntp (main) "unnecessary ntpdate invokation" [Undecided,New] https://launchpad.net/bugs/95999008:11
twbsabgenton: use apt, not dpkg08:12
sabgentontwb: dude the very reason I'm asking this is for times when my package isn't in a repository08:12
twbYou should tell your vendor to fix that08:13
sabgentontwb: or are you saying I can use apt on a .deb?08:13
sabgentontwb: I very much dought ubuntu is going to repo every thing I ask for08:15
twbIf some random crack-head makes a .deb and doesn't know how to put it in an apt repo, it is probably not a good deb for you to install.08:16
sabgentonI think that's a bit rude to call someone who doesn't use debian or ubuntu a crack-head08:19
twbI'm not interested in your opinions.08:19
sabgentontwb: do I basicly have to make a PPA if I want a deb to be known to apt?08:20
sabgentontwb: sorry08:20
greppysabgenton: not everyone is twb :) just because someone stuffs it into a repo doesn't magically make it better.08:21
twbsabgenton: this is a deb *you* made?08:21
twbgreppy: better for the end users than gdebi, which will ignore Recommends and generally make a mess of things.08:21
twbgreppy: but sure, putting it in apt won't make it better, but hopefully someone who knows how to do that, also knows how to use things like lintian08:22
sabgentonno I didn't make the .deb08:23
sabgentonand I don't really want to talk about one .deb  because I have had countless times where there's something I want to install that is a .deb but not in a repo08:24
sabgentongreppy: Is PPA the only way to make apt happy08:24
sabgentononly decent way08:24
twbYou shouldn't install such things because they're very likely to be crap quality and mess up your system08:25
twbwebmin would be a textbook example; its deb has three critical errors and hundreds of minor errors08:25
sabgentontwb: even the deb in the ubuntu repos?08:26
sabgenton(webmins in the repos right)08:26
ubottuwebmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system.08:26
sabgentonheh ok08:26
sabgentoninteresting did  not know that08:27
sabgentontwb: so say I do make my own private package then08:27
sabgentonAnd I don't want to upload it to ubuntus repo08:28
sabgentonwhats the best way to get it working with apt's dependency knowlage?08:29
twbProbably sbuild or pdebuild and reprepro08:29
sabgentontwb: ok, which is more preferable out of  the two08:30
twbI haven't used sbuild before.08:30
twbI think pbuilder is "good enough"; sbuild is better but harder to get started with08:31
sabgentonwait do those tools just make .deb's08:31
sabgentonI'm asking how to make apt aware of them08:31
twbThat's what reprorepo does.  You upload .changes files to it using dcmd and it builds an apt repo08:34
sabgentonoh see08:34
sabgenton(sbuild or pdebuild) and reprepro08:35
sabgentonso the ones in paren's just make the package08:35
twbIn a deterministic clean environment, yes.08:35
sabgentontwb: so with reprorepo I would make a repository on my localhost then just point /etc/apt/sources.list to it?08:37
sabgentonok I guess I'll look at that08:40
sabgentonspose I was hoping there was an easy way to just make apt see a .dep in some sort of already made default repo on localhost08:41
sabgentontwb: thx for the help08:54
lynxmanmorning o/09:26
jamespageDaviey: rabbitmq11:28
lynxmanjamespage: that's all needed to nag Daviey nowadays? :)11:29
Davieyjamespage: yes, yes.. will do it today12:05
DavieySorry for being crap12:05
jamespageDaviey: no problemo12:11
jamespageDaviey, in all likelyhood I'm not sure its needs a FFe12:11
jamespageand we don't have to MIR the new packages...12:12
ghatakLooking for a lightweight monitoring ( preferably with history ) tool for a linux system. Don't want to use cactai/nagios etc. I want something that is quick and can monitor things like ( CPU, Memory, IO, Network ). Suggestion ?12:12
iclebyteghatak, we use zabbix for this12:13
ghatakright let me checkzz thanks12:13
iclebytejust run a small agent on the remote host and let zabbix poll it. it stores historical data12:13
iclebytewe monitor about 40 hosts with it.12:13
=== bladernr_ is now known as bladernr_afk
cloakableGot my eye on a hifn hardware raid card for my server... would it benefit ubuntu server though?12:25
jamespagebencer_, all the zentyal source packages have now been accepted - they are just working their way through the binary NEW queue now12:26
bencer_jamespage: so the only thing needed to have them included is waiting the builders finish their work? :)12:27
jamespagebencer_, they have build but the new binary packages need to be accepted by the archive-admin's as well12:27
bencer_aha ok, cool12:28
jamespagebencer_, https://launchpad.net/ubuntu/precise/+queue12:28
bencer_jamespage: onces they hit the archive we should request the removal of ebox packages, right?12:28
jamespagebencer_, yes - I have a bug raised for that12:29
* jamespage digs it out12:29
jamespagebencer_, bug 95710912:30
jamespagehmm - no bot today12:30
jamespagebencer_, https://bugs.launchpad.net/ubuntu/+source/ebox/+bug/95710912:30
bencer_jamespage: ok perfect12:31
=== Jasonn is now known as juicy
uvirtbotLaunchpad bug 957109 in ebox "Please remove libebox, ebox and ebox-* packages from the precise archive" [Undecided,Incomplete] https://launchpad.net/bugs/95710912:32
uvirtbotLaunchpad bug 957109 in ebox "Please remove libebox, ebox and ebox-* packages from the precise archive" [Undecided,Incomplete]12:32
uvirtbotNew bug: #960144 in lxc (universe) "lxc-start failing to setup mounts" [Undecided,New] https://launchpad.net/bugs/96014412:41
=== fenris is now known as Guest87935
zulDaviey: can we rethink the nova console patch...its causes the testsuite to fail because the fifo stuff doesnt exist in the buildd13:35
Davieyzul: that is new?13:49
zulDaviey: no13:49
zulDaviey: just frustrating13:49
=== bladernr_afk is now known as bladernr_
pabelangerzul: I heard something about the Debian openstack team adding dbconfig-common support to nova and glance, do you know where that code lives? Or if it exists?13:55
zulpabelanger: http://anonscm.debian.org/gitweb/?p=openstack/$proj.git13:56
zulnot swift though13:56
pabelangerIs the pkg-openstack team considered upstream for packaging or is ubuntu?13:58
zulpabelanger: for ubuntu we do our own packaging and we are kind of upstream as well14:02
pabelangerzul: I see, so we would never sync openstack from debian, is that safe to say?14:02
zulpabelanger: yes we had the packging done before them14:04
pabelangerzul: okay, I only ask because I have 2 reviews up for dbconfig-common support, but Debian has already added support.  The patches take 2 different approaches, so I'll just wait and see how we want to move forward14:05
zulpabelanger: yeah i just got back from vacation so its in the queue im not so sure about adding dbconfig-common support to nova at this late in the cycle though14:06
pabelangerUnderstood, I was likely to late to the game to get it merged upstream.  However, it does help with automated deployments. Worst case I'll have to package it locally14:09
zulpabelanger: ack14:10
roaksoaxzul: do you have any examples that uses debconf questions for a 'select'?14:42
zulroaksoax: what do you mean?14:43
roaksoaxzul: debconf questions that are of the type 'select'14:43
zulroaksoax: not off the top of my head14:43
roaksoaxzul: cool thanks14:44
uvirtbotNew bug: #960262 in lxc (universe) "include an option to use aufs instead of overlayfs in lxc-start-ephemeral" [Undecided,New] https://launchpad.net/bugs/96026214:50
Davieyjamespage: does the rabbitmq requested upload have a PPA?15:02
Davieyi'd ike to point it to another upstream project to validate it.15:02
uvirtbotNew bug: #960276 in nova (main) "a bad AMI can hang an entire compute node" [Undecided,New] https://launchpad.net/bugs/96027615:06
jamespageDaviey: no - but it can have one15:28
SpamapSjamespage: whats the situation on rabbitmq? I know 2.7.1 regressed the start/stop behavior.. anything else? Did I hear that there was a FFE needed for something?15:36
jamespageSpamapS, lynxman did some work to fold in the current plugin packages that are universe to rabbitmq-core15:36
jamespageit creates NEW binary packages from rabbitmq-server source15:37
jamespageI fixed up the start/stop behaviour15:37
jamespagebut thats about it15:37
SpamapSAh ok15:39
DavieySpamapS: in hope of getting it in today, if it works out ok15:39
Davieyjamespage: does it have Breaks / Replaces?15:39
lynxmanDaviey: it does :)15:40
jamespageDaviey, yes it does15:40
Davieylynxman: cool15:42
bencer_jamespage: how long do you think will take zentyal hit the archive? the seems that from the docs team doesn't want to merge the doc until the packages are not in the archive...15:47
jamespagebencer_, they should land in the next day or so - the AA's review periodically15:48
bencer_ok thanks15:48
hallyngary_poster: do you prefer I use the old aufs option ('-t|--type'), or ('-U|--union') ?15:49
uvirtbotNew bug: #960336 in cloud-init (main) "grub-legacy-ec2 missing dependency: ucf" [Undecided,New] https://launchpad.net/bugs/96033616:06
DavieySpamapS: meeting?16:09
Davieyutlemming: meeting?16:09
gary_posterhallyn, sorry was lunching.  If -U does not take an argument, that makes sense to me.16:13
gary_poster-t is more future proof though, I suppose16:13
gary_posterIOW, hallyn, I don't have a string opinion.  I guess at this instant in time, I'd lean towards -t, preferring the future-proof argument.16:15
hallyn-U would take aufs or overlayfs16:20
hallynjust as -t did16:20
hallyn-U just seems to be more obvious :)  i was just wodnerng if anyone would be using -t in a script (from oneiric)16:21
hallyngary_poster: ^16:23
gary_posterhallyn...not us, and this is a new script, so go with the more obvious choice16:31
blendedbychrisi have a hyper-v server with a "synthetic" interface and a "legacy" interface i can't get the synthetic interface to show up16:36
blendedbychrisany idea where to start ?16:36
blendedbychrissupposedly this kernel has this driver16:36
hallynjjohansen: to make /etc/apparmor.d/lxc/lxc-default be loaded at reboot, what should i do?16:42
hallyn(i'd have thought all files under /etc/apparmor.d just get loaded?)16:42
jjohansenhallyn: it should be unless its disabled.  Is there a link in /etc/apparmor.d/disabled ?16:43
jjohansenhallyn: you can test what gets auto load with /etc/init.d/apparmor restart16:43
hallyneven if it's under a subdir?16:43
jjohansenhallyn: oh. no subdirs aren't auto-loaded16:44
hallynso what shall i do?16:44
hallyncan i make a list somewhere?16:44
jjohansenhrmmm, jdstrand^ what do you think the best way to approach is16:45
hallyngary_poster: d'oh, my test kernel doesn't have aufs.  But I *think* lp:~serge-hallyn/ubuntu/precise/lxc/lxc-shutdownv2 should be enabling aufs for lxc-start-ephemeral.  (and at least doesn't break overlayfs ones)16:46
jjohansenhallyn: sorry when it comes to packaging and ubuntu init I still find stuff that surprises me, jdstrand and kees handled most of that stuff16:46
hallynjjohansen: thanks16:46
gary_posterhallyn, cool, getting and looking16:47
jjohansenhallyn: there are a couple things that can be done that I can think of.  Drop a symlink in the top dir, drop an include dir in another profile file16:47
=== duckydan_ is now known as duckydan
jjohansenhallyn: is lxc-start in the main dir?16:48
jjohansenyou could drop an include at the end of the file16:48
jjohansenjust include the directory16:48
hallynjjohansen: i suppose i can just leave them in the main dir.  I just wanted to not pollute it too much16:48
jjohansenany file in the directory would get included16:48
jjohansenso you can drop files in as you want16:49
hallyn#include "lxc/" ?16:49
hallynthanks will try16:49
jjohansenmake sure the include is outside of the profile, just stick it at the end of the file16:49
jjohansenoh, hrmm that may mean modifying the included profile file16:50
jjohansenslightly so that it doesn't include the global abstraction stuff again, that has been on my list to fix for awhile but has been low priority16:50
hallynjjohansen: yeah i just noticed it's complaining about redefs16:51
hallynjust made it a new empty file with only the #include :)16:52
hallynthanks, i'll stop taking your time (cause i want that getcon fix :)16:52
jjohansenthat will work16:52
gary_posterhallyn, looks good, and I confirmed that it works with -U aufs here.  The only issue I saw was because I already had another ephemeral running (because of the one-at-a-time aspect of lxc-wait).  I'll run it through some more tests later, but +1 from me.  Thank you!16:55
hallyngary_poster: I may write a lxc-wait script to replace that16:56
hallynI think I have to16:56
gary_posterthat would be great, if sad that you have to do that16:56
jdstrandhallyn: sorry, did you get your question about policy loading during init answered?17:00
blendedbychrisafter  i install ubuntu-desktop how do i remote into the gui?17:01
jdstrandhallyn: well, in case not, if you are shipping an upstart job, you can look at avahi-daemon.conf for inspiration. eg add something like:17:03
jdstrandpre-start script17:03
jdstrand    /lib/init/apparmor-profile-load <subdir>/<profile>17:03
jdstrandend script17:03
jdstrand(note '<subdir>/<profile>' should not have '/etc/apparmor.d/' prepended17:04
hallynjdstrand: what i'm doing right now is shipping a /etc/apparmor.d/lxc-containers which just has '#include <lxc>'.  It's working17:09
smoserutlemming, if you poke at the locale stuff... i think profile.d could be  made usable.17:09
hallynjdstrand: if that's deemed less desirable, i'll change it, but it's working17:09
utlemmingsmoser: I've tested that profile.d code and it works17:09
utlemmingsmoser: even with the bash-isms, but yeah, I'll get that implement this week17:10
jdstrandhallyn: that would certainly work. it is a little odd in some ways, but is also nice in that anything else that gets dropped into /etc/apparmor.d/lxc will magically get loaded17:10
hallynjdstrand: right - cool, thanks.17:10
jdstrandhallyn: can you paste the output of 'sudo aa-status' after having done that?17:11
smoserutlemming, well of course it will work in bash with bashisms.17:11
smoserbut not if your shell is /bin/sh or zsh17:11
smoserprofile.d probably has to be posix shell pure17:11
hallynjdstrand: http://paste.ubuntu.com/892472/17:11
jdstrandhallyn: what are the contents of your /etc/apparmor.d/lxc directory?17:12
hallynjdstrand: just /etc/apparmor.d/lxc/lxc-default right now17:13
hallyn(shipped with the package)17:13
jdstrandhallyn: and that has 'profile lxc-container-default ... {...}'?17:13
hallynRecommendation in server guide will be to drop per-container profiles there if desired and manually load17:13
jdstrandhallyn: ok, so this will work. keep in mind that if containers start before the apparmor initscript is loaded, then things won't be confined17:14
hallynjdstrand: actually they refuse to start then17:14
jdstrandhallyn: this is where the upstart job change would help17:14
hallynjdstrand: lxc-start fails aa_change_profile() and bails17:15
jdstrandhallyn: ok, fair enough-- you might get a bug report about things failing to start17:15
blendedbychrisi installed the package ubuntu-desktop … how can i remote access the gui?17:15
blendedbychrison server17:15
blendedbychriscan i make it startx remotely?17:15
hallynjdstrand: could be.  I'm open to changing it to try and autoload, but i don't want to complicate it at this stage17:15
hallynjdstrand: i'm not sure where upstart job would help with new profiles...17:16
jdstrandhallyn: you could fix that condition by adjust lxc-start to load the policy (like we discussed before), or use the upstart snippet I gave above to load /etc/apparmor.d/lxc-containers17:16
jdstrandhallyn: (which would use your #include lxc trick)17:16
hallynjdstrand: I've missed something17:17
jdstrandhallyn: ok, the upstart job has:17:17
jdstrandpre-start script17:17
jdstrand    /lib/init/apparmor-profile-load lxc-containers17:17
jdstrandend script17:17
jdstrand/etc/apparmor.d/lxc-containers contains:17:17
jdstrand#include <lxc>17:18
hallynbut lxc-containers gets loaded at start anyway... what does it gain to have it in upstart job?17:18
hallyn(being dense, not on purpose)17:18
jdstrandthis has the benefit of loading whatever is in /etc/apparmor.d/lxc (like now), and you can make sure in the job that it gets started before something that uses lxc-start17:18
hallynoh, cause there's no guarantee when /etc/init.d/apparmor runs?17:19
jdstrandhallyn: yes17:19
hallyngot it, thanks17:19
jdstrandit runs in rc 217:19
jdstrandhallyn: anyhoo, food for thought. I'll let you decide what you want to do with all this info :)17:20
hallynjdstrand: thanks.  I'll do that.  And like I say I do want to add attempts to laod policy if transition fails, but only after getcon issues are fixed.17:20
hallynjdstrand: thanks, ttyl17:20
jdstrandhallyn: oh, one last thing: I suggest adding a clear comment in /etc/apparmor.d/lxc-containers as to what it is doing and why, so people know what is happening and aren't tempted to edit it17:21
hallyngood point.  will do17:22
newbchessplayeri installed ubuntu server but cant get a gui working17:23
newbchessplayeri apt-get'ed gnome-shell17:23
JanCnewbchessplayer: you probably also want a DM etc.17:28
JanCand Xorg, of course17:29
JanCnewbchessplayer: but I suppose it's easier to install a regular desktop if you are new to this17:29
JanCsomething like XDM, GDM, LightDM, KDM, ...17:29
newbchessplayerwhat are they17:30
JanCthey provide the graphical login screen etc.17:30
newbchessplayeryes that's what i need17:31
JanCbut like I said: better install a desktop17:31
JanCthen you get all that out of the box17:31
JanCalternatively, there are several *-desktop metapackages that will install all you need for that particular desktop17:32
newbchessplayerwhat is fd0 read error?17:33
newbchessplayerfloppy error17:35
=== Lcawte|Away is now known as Lcawte
kamalHi cloud people ...   I've been getting experimenting with EC2 for a week or so, and I have a couple of technical questions about the "guest" AMI's that Canonical provides.  Are the folks who construct those AMI's here perchance?18:05
utlemmingkamal: yup...how can I lead you astray?18:05
kamalquite easily, I'm sure ....18:06
kamalfirst question:   why is grub-pc even installed on the EC2 images?   it looks to me like the only grub package EC2 actually needs/uses is grub-legacy-ec218:06
utlemmingkamal: correct. Even though the images in EC2 don't use the grub packages, the images that are generated can be downloaded from http://cloud-images.ubuntu.com and used in KVM, OpenStack and other virtual solutions. We try to produce generic images that are suitable for use on as many clouds as possiable.18:07
kamalutlemming: ok, got it18:08
kamalsecond question (maybe the same answer) ...   why do the EC2 images run getty's on tty[1-6]?18:08
utlemmingkamal: same reason...for general use else where18:09
kamalutlemming: ok, makes sense.   last one (maybe ;-)....    Do we provide a "super-minimal" cloud image?   (I've constructed my own, but I'm curious).18:11
utlemmingkamal: what do you mean by super-minimial? The images are built from the ubuntu-minimial and server patterns with the cloud-init packages put on to make them useable.18:12
kamalutlemming: I guess I mean an image which includes the very smallest set of packages that can be useful on a cloud-hosted VM.   (I don't know anything about "ubuntu-minimal" or "patterns").   Even cloud-init isn't really *necessary* to construct a VM...18:17
kamalI.e. I have constructed a working (key-preinstalled) ubuntu EC2 AMI with just "debootstrap --variant=minbase" plus {linux-image-virtual, grub-legacy-ec2, isc-dhcp-client, openssh-server}18:17
kamalutlemming: so I guess I mean:  do we (should we?) provide something like ^^^ that as a "minimal AMI"18:18
utlemmingkamal: the reason we don't, is because there are problem with super-minimial images like that, in the respect that we need to provide enough tools to get the image workable. Cloud-init is a python package that handles on-boot customization, injects the keys, etc.18:19
utlemmingkamal: what is the impitious for asking?18:19
cwillu_at_workkamal, if you need something stripped down, you're best of doing the stripping yourself18:20
cwillu_at_workthere will always be something vital for you that somebody else doesn't ever use, and something they consider vital that you'd never touch18:21
cwillu_at_workalternatively:  "Yes: the super minimal package is 'linux-image-3.3.0'"18:21
cwillu_at_workanything else you'd want, you can get from an initramfs you pull in over tftp18:22
kamalutlemming: ok, I understand that such an image wouldn't be interesting as a "cloud guest" image.   my goal is to construct a lean-mean image to use as a compute-slave, and I want to avoid wasting precious microseconds or megabytes with unneeded pkgs or processes.18:23
cwillu_at_workkamal, did you read what I just wrote? :p18:23
utlemmingkamal: smoser has a project called cirros that is stripped down cloud images (https://code.launchpad.net/~smoser/cirros/trunk)18:25
kamalcwillu_at_work: yup, but wanted to answer utlemming's question :-).    I understand your advice also, thanks.   Note that I'm not trying to construct an image which contains *any* packages that are "vital to me" though ...   I'm interested in the set of packages that are "vital to boot".18:25
cwillu_at_workand what I said still applies18:25
kamalah, smoser's project does appear to be about what I'm talking about18:27
smoserits not ubuntu.18:27
smoserits buildroot (uclibc)18:27
kamalsmoser: well, I guess its at least the concept of what I'm talking about :-)18:27
smoseri'm curious why you're so interested in lean18:28
kamalsmoser: because: why waste RAM and time with e.g. getty's?18:28
smoseryou can probably stop them18:29
smoserfor i in 1 2 3 4 5 6; do sudo stop $i; done18:30
kamalsmoser: sure, but why start them at all?18:30
smoserin the end, anything that is wasting memory should be able to be turned off.18:30
smoserso then you're just wasting disk spae18:30
smoseri just find it a lot of effort for a little gain.18:31
smoserand if you really wanted to, you could supply cloud-init data that would not start those ttys18:32
smoseryes... then you'd pay the cost of code running to disbable them.18:32
kamalsmoser: yup, *now* you're getting on my wavelength ;-)   If I'm constructing an image for a dedicated compute-slave, which I'll run many many instances of,  I think it makes much more sense to just leave unwanted stuff out of the image, as opposed to wasting the time/space to turn it off at boot.18:34
kamalthe effort will be a one-time operation, but the gain will be multiplied by the N times the instance will be run.   So I see lots of potential gain to optimizing there.18:36
smoserkamal, you're just simply going to spend a lot of time optimizing something and fixing bugs and pulling hair.18:36
smosernothing is a one time operation.18:36
kamalsmoser: well I guess I still have a bit of hair left to pull, so that sounds about right ;-)18:39
kamalanyway, utlemming, cwillu_at_work, smoser ...  thanks for the answers and advice.  I'll know where to come for further questions!  :-)18:39
smoserwell, if your systems spend most of their life starting and stopping, then you probably have some optimizations you can make.18:39
smoserif, however, you like to do other things than boot18:39
smoserthen your % of time spent booting goes down quickly.18:40
smoseryes, 10 second boot on a laptop is nice, but if uptime is measured in days, 20 seconds wasn't so bad.18:40
smoserbut anyway.18:40
kamalsmoser: I imagine that for my application, the uptime of each system will be exactly 59 minutes (one EC2 time-chunk)18:41
kamalI haven't clocked anything, but I even wondered if maybe t1.micro CPU throttling might kick in *during* the boot process, such that it would actually be even more useful to strip down useless CPU-intensive stuff at boot.18:42
smoserwell, then, you've given yourself a fairly good target for optimization:18:42
kamal(again, my only experience with cloud stuff *at all* is about 1 week playing with EC2)18:42
smoser (60 * 59 - 20) / (60 * 59) = .994318:42
smoserso if you save 20 seconds in boot, you'll gain .005% cpu utilization18:43
smoserand i surely hope you can't save 20 seconds at goot18:43
smosererr... sorry . bad math. that is .5%18:44
blendedbychriswhich vnc server do i use if i want to allow windows users to use something like tightvnc to see the login screen?18:47
blendedbychrisand login as their respective user18:47
kamalsmoser: .5% is not entirely insignificant, I think, but its good to quantify it.   maybe I'll run an actual boot speed test and really see if it makes even that much difference.  again, thanks very much for the advice, this was a very useful discussion for me.18:48
smoserkamal, if you're interested in maximizing usefulness of time/$18:50
smoserthen you will want tofind out the answer to something i have never figured out18:50
smoser(or never bothered to)18:50
smoserwhen does the clock start for your 60*60 on amazon18:50
smoseri suspect it starts when your request comes in, and they start doing IO on your part on their nodes.18:50
smoseryou start booting at some point later18:51
smoserso that provisioning time is cost18:51
kamalsmoser: I imagined that the clock started at moment that the instance goes from "pending" to "running" ...  it wouldn't be fair for them to charge you for provisioning time, imho.   I'll find out.18:53
smoserits easy to thikn that is no fair18:53
smoserbut in another sense it is18:53
smoseryou're using their IO18:53
smoseror, rather, they're doing IO on your request18:53
kamalno, *they* are using their IO18:53
smoserwhy should you get free IO ?18:53
kamalimho, they charge me to "run the image".   if their systems are slow and it takes them a long time to get my image to the "running" state, thats their problem, not mine (I can't do anything about it).   As opposed to:  if my system *boots* slow, then its my problem.   Again, this is just *my* thinking.  :-)18:54
uvirtbotNew bug: #960500 in net-snmp (main) "net-snmp-config shift error" [Undecided,New] https://launchpad.net/bugs/96050018:56
kamalhttp://aws.amazon.com/ec2/faqs/#What_defines_billable_EC2_instance_hours   ::   Instance-hours are billed for any time your instances are in a “running” state.18:57
kamalsmoser: ^^18:57
smoserwell thats interesting.18:59
smoserbut i dont know how you can get that.18:59
blendedbychrisno one?19:00
blendedbychrisis there not a vnc server app that works more like remote desktop?19:00
smoserkamal, http://paste.ubuntu.com/892613/19:01
kamalsmoser: ec2-describe-instances shows a timestamp which I bet is the start time19:01
smoserit is not19:01
smoserit is the request time19:01
smoser(as shown in that paste)19:01
kamalsmoser: hmmm... curious.  why do I care what my request time was?   :-/19:02
smoserbecause its the billing start time :)19:02
kamalsmoser: not per that FAQ though19:03
smoseryeah. i dont know.19:03
cloakableAnyone know how to combine fail2ban with remote logging?19:07
Picicloakable: fail2ban appears to support logging to syslog, so you should be able to work with it from there.19:10
cloakableYeah, but it wants to watch a logfile. Which presumably means running on the server accepting the logs.19:11
cloakableWhich as far as I can tell with default configuration, means that someone trying to bruteforce my gateway will get banned on the logging server. Not useful.19:12
cloakableI suppose mounting the remote directory via nfs might work19:16
maxagazmd5sum returns the md5 following by the file name, why not only the md5 ?19:29
maxagazmd5sum, is there some option to get only the md5, or only awk, cut... ?19:30
bluefrogmd5sum without the name of the file in a list is pretty useless19:32
marcoceppimaxagaz: there isn't, in the ch_get_file method, when it calculates md5 sum it does md5sum <file> | awk '{ print $1}'19:33
=== dillydallyer__ is now known as newbchessplayer
zulSpamapS: ping what do you think about https://bugs.launchpad.net/bugs/959426 (note we dont use mysql by default)20:07
uvirtbotLaunchpad bug 959426 in nova "nova services start before mysql on boot" [Undecided,Confirmed]20:07
SpamapSzul: the age old problem. ;)20:08
SpamapSzul: these services should probably be more resilient to the database being unavailable and retry a few times.20:09
zulSpamapS: right but the upstart scripts for nova doesnt assumed that mysql is installed20:09
SpamapSzul: the upstart jobs are doing the right thing. Ignore the "on the same machine" bit. What if your data center goes down all at once? When you come back up.. you shouldn't have to remember what order to boot machines.20:10
SpamapSwe likely start mysqld and glance and nova all at the same time, on runlevel 220:10
zulok i can accept that20:11
maxagazmarcoceppi, ok, thanks20:21
maxagazhow to echo a tab ?20:28
=== alaing is now known as funkymonk
maxagazecho -e "a\tb"20:29
guampasomeone knows if postfix *_queue_lifetime can be tuned for specific smtp errors? I would want to set 2 days max for smtp 450 (mailbox unavailable)20:44
gary_posterhallyn, will lxc cause top to be confused about active processes in the container?  I didn't expect so, but I'm seeing unexpected behavior (which may well be from other sources) that reports that only one process is active and the rest are idle.  I have one active process in the host, but should have ~16 from 8 containers.  my cpu usage info is also very low, according to top (>99% idle).  Is any of this explainable20:53
gary_poster with lxc, or should I look elsewhere?20:53
gary_posternote that the container's processes are listed in top, it's just that are not shown as doing much20:54
=== jvdz_ is now known as jvdz
sorenDaviey: Expect a keystoneconfig-common to appear out of nowhere soon. Should make integrating packages with Keystone a breeze.21:51
Davieysoren: that is awesome!!21:56
Davieysoren: Likely before Thurs?21:56
sorenDaviey: It's almost done. I expect to finish testing it tomorrow.21:58
sorenDaviey: There's probably half a million things I haven't thought about, but the other 27 things I did think about should be covered.21:58
=== Lcawte is now known as Lcawte|Away

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!