[00:08] <SpamapS> sbeattie: ugh.. the 5.5 test suite doesn't seem to want to be run out of tree. Probably will have to patch it a lot. :-P
[00:11] <SpamapS> sbeattie: oh wait.. hah.. no.. the problem is that mysql-testsuite is no longer a meta-package in 5.5 .. so installing it pulls in 5.1's test suite
[00:12] <sbeattie> SpamapS: oh! Haha.
[00:12]  * sbeattie sighs.
[00:12] <SpamapS> sbeattie: my bad. ;) I'll fix that in the upcoming 5.5.21 upload
[00:12] <sbeattie> SpamapS: thanks, appreciate you digging into it.
[00:12] <SpamapS> Still waiting for upstream to confirm that they do not believe it is safe to have a dynamically linked /usr/bin/mysql
[02:50] <hallyn> jjohansen: jdstrand: is there a sort of aa_get_profile() to complement aa_change_profile()?
[02:50] <hallyn> really i just want to know if i'm confined.
[02:50] <hallyn> (and if not, not try to transition)
[02:59] <jjohansen> hallyn: yes see man aa_getcon
[02:59] <hallyn> jjohansen: thanks!
[03:00] <jjohansen> hallyn: note aa_get_peercon will only return an error atm because socket labeling isn't implemented yet
[03:02] <jjohansen> hallyn: also technically you are getting the context, which could be more than a profile, but since stacking isn't yet supported it is currently only a profile
[03:02] <jjohansen> also the profile name "unconfined" will indicate no confinement
[03:03] <jjohansen> hallyn: there should also be perl, python, and ruby bindings for those fns
[04:09] <sp4z> hi is how do i change the resolution on my ubuntu server?
[04:24] <hallyn> jjohansen: thanks.  i only need c, and only want to check if i'm unconfined (if a transition failed)
[04:39] <hallyn> jjohansen: hm, seems aa_onexec requires a different transition perm than aa_change_context
[04:43] <hallyn> and http://wiki.apparmor.net/index.php/AppArmorAPIs uses wrong name (aa_onexec_profile)
[04:44] <hallyn> all right i guess lxc will use aa_change_profile() for now.  it'll work, though it's not really "correct"
[05:24] <jjohansen> hallyn: hrmm, sorry about the wiki, its uhmm about the last documentation to get updated, I'll make sure it gets a refresh for those.  change_onexec does use a slightly different variation to the change_profile perm.  I look and see why it isn't working
[06:16] <blendedbychris> is there a quick way to tunnel a request on a specific port through a ubuntu box/
[06:16] <SpamapS> blendedbychris: ssh -L or ssh -D
[06:16] <SpamapS> blendedbychris: or ssh -R if you want to go from the remote to your local machine
[06:18] <blendedbychris> SpamapS: can that watch for any application though that tries to use port 389 for instances
[06:18] <blendedbychris> instance*
[06:18] <SpamapS> blendedbychris: no, thats just a quick and dirty tunnel.. you'd have to tell the app to use the tunnel
[06:19] <SpamapS> blendedbychris: if you want an IP level tunnel.. openvpn is pretty simple
[06:20] <blendedbychris> what do you call the "middle" node? the proxy?
[06:20] <blendedbychris> the openvpn method might work if i could set some arbitrary hostname
[06:21] <blendedbychris> so ldap://proxy:389 -> 50.32.111.22 (my proxy) -> ldap://10.32.33.53:389
[06:30] <SpamapS> blendedbychris: yeah, you could just use ssh for LDAP with 'ssh -L 389:10.32.33.53:389 50.32.111.22'
[06:31] <SpamapS> blendedbychris: but that would only work if you did that on every client
[06:31] <SpamapS> blendedbychris: for openvpn you're basically setting up an IP tunnel, so it gets more complicated
[06:32] <blendedbychris> SpamapS: are you pretty familiar with ldap?
[06:32] <blendedbychris> i'm kinda naive in the subject…
[06:32] <blendedbychris> does the standard ldap:// protocol have encryption at all?
[06:33] <blendedbychris> this really just solves half the problem is what i'm getting at … that internal server needs to be encrypted too ideally
[06:34] <SpamapS> blendedbychris: LDAP can use STARTTLS to do encryption, or you can run it fully wrapped in SSL as 'ldaps' which runs on port 636
[06:34] <SpamapS> blendedbychris: depends on what your clients support. Most modern ones can do starttls
[06:35] <blendedbychris> client meaning the app requesting say an ldap search?
[06:39] <SpamapS> blendedbychris: righ
[06:46] <blendedbychris> SpamapS: gotcha… currently it looks like i am only able to connect via plaintext…
[06:46] <blendedbychris> if i force TLS i get TLS: peer cert untrusted or revoked (0x42)
[06:47] <blendedbychris> running ldapsearch -h 10.1.50.211 -p 389 -ZZ -d5 -b "" -s base "(objectClass=*)"
[06:48] <blendedbychris> not sure if i've set my certs up properly though
[06:48] <SpamapS> blendedbychris: looks like no
[06:49] <twb> FFS
[06:49] <SpamapS> blendedbychris: probably not trusted. Thats why people avoid end-to-end SSL.. its a nightmare to manage :)
[06:49] <blendedbychris> do i have to grab the cert from the ldap server?
[06:49] <twb> "Customer, you need to enable 88 and 464 from AD to your test VM for me to set up krb on it" "Them, I opened 88 and 464, what was your IP again?"
[06:49] <twb> IOW I think they just opened their krb to the internet :-/
[06:50] <blendedbychris> too many acronyms
[06:50] <blendedbychris> brain imploded
[06:58] <SpamapS> blendedbychris: this is a twinkie.. it represents the normal bad security energy on the internet for any one entity. Now, imagine a twinkie roughly the size of manhattan.
[06:59] <blendedbychris> ugh
[06:59] <blendedbychris> i'm ignoring that
[06:59] <blendedbychris> tcpdump… how do i make it output the actual data instead of just the summary ?
[07:01] <blendedbychris> haha
[07:01] <blendedbychris> love it
[07:02] <twb> SpamapS: where is that quote from?
[07:02] <twb> Ghostbusters?
[07:04] <blendedbychris> with TLS should I see unencrypted data in tcpdump?
[07:06] <twb> blendedbychris: only the word "STARTTLS"
[07:06] <blendedbychris> twb: thanks
[07:07] <twb> blendedbychris: well that and maybe a EHLO or HELO or whatever, depends on the protocol
[07:07] <blendedbychris> well definatly not the password right heh?
[07:07] <twb> blendedbychris: you're using 389?
[07:07] <blendedbychris> yes
[07:07] <twb> Port 389 I mean
[07:07] <twb> OK so that's starttls
[07:07] <twb> the ldaps port is assumed to be TLSd from the get-go
[07:08] <blendedbychris> wait what?
[07:08] <twb> There are two ways of doing TLS.  Either you use the plaintext port and start every conversation with "quick turn on TLS!" or you use a dedicated port.
[07:08] <SpamapS> twb: yes that was ghostbusters :)
[07:08] <twb> e.g. smtps. imaps, ldaps are dedicated ports
[07:08] <twb> SpamapS: good because I couldn't find the bloody quote... stupid ddg
[07:09] <SpamapS> it was really badly botched
[07:09] <twb> http://en.wikiquote.org/wiki/Ghostbusters
[07:09] <blendedbychris> i have a more important question… who the hell would enable 389 and not force starttls?
[07:09] <twb> SpamapS: no kidding
[07:09] <twb> blendedbychris: lazy people
[07:09] <SpamapS> Well, let's say this Twinkie represents the normal amount of psychokinetic energy in the New York area. Based on this morning's sample, it would be a Twinkie... thirty-five feet long, weighing approximately six hundred pounds.
[07:09] <twb> I think I'm still doing it at some prisons
[07:10] <blendedbychris> is it typical to run 686 with starttls?
[07:10] <twb> blendedbychris: you can't run *starttls* on 636
[07:10] <twb> That only takes tls
[07:10] <blendedbychris> gotcha
[07:17] <blendedbychris> does this sound right… i'm asking my it dudes for the public cert and an account that has access to "poll" the directory
[07:17] <blendedbychris> query the directory?
[07:21] <twb> They should have a certificate hierarchy, and you should add their CA cert to your trusted cert list
[07:21] <blendedbychris> isn't that what i'm asking for?
[07:21] <blendedbychris> their public ca cert?
[07:21] <twb> If they are stupid and lazy, instead of having a cert hierarchy, they will have self-signed certs everywhere, in which case you ask specifically for the cert they're using for LDAP
[07:22] <twb> certs are always "public"; they're just public keys signed by other keypairs
[07:22] <blendedbychris> okay so what's the smartest way i can ask heh
[07:22] <twb> What are you actually trying to achieve?
[07:22] <blendedbychris> get the cert and probably have them make another account to query ad
[07:23] <blendedbychris> so i can use starttls
[07:23] <blendedbychris> on some web server we run externally
[07:23] <blendedbychris> currently we have an internal web server that is performing queries in plaintext
[07:24] <twb> So ACTUALLY what is happening is you have a working AD LDAP/krb infrastructure, and you have a new httpd, and you want people to be able to log into web apps under the new httpd using their existing AD accounts?
[07:24] <blendedbychris> correct
[07:24] <twb> And everything is working except it's not encrypting the LDAP conversation?
[07:25] <blendedbychris> well i am about to add another httpd that isn't even hosted internally so starttls is a must
[07:25] <blendedbychris> but yes
[07:25] <twb> OK
[07:26] <twb> The new httpd is running Ubuntu 10.04?
[07:26] <blendedbychris> ya
[07:26] <twb> And is it apache, or what?
[07:26] <blendedbychris> nginx
[07:26] <twb> OK, is nginx using PADL libpam_ldap, or what?
[07:27] <blendedbychris> php's whatever
[07:27] <blendedbychris> is the client
[07:27] <twb> Ugh
[07:27] <twb> Do you know the path to the ldap.conf that <whatever> is reading?
[07:28] <twb> e.g. is it /etc/ldap.conf or /etc/ldap/ldap.conf
[07:28] <blendedbychris> big ol guess that it's /etc/ldap/ldap.conf
[07:28] <twb> You need to know what LDAP client it's using and what config file to edit
[07:29] <twb> Ubuntu at a minimum has both the ones I just mentioned, used by different LDAP clients :-/
[07:29] <blendedbychris> let me double check
[07:30] <blendedbychris> it's using openldap
[07:30] <twb> On what do you base that conclusion?
[07:31] <twb> Actually an easy way to test it would just be to put bullshit in the suspected file, restart the app, and see if it is broken
[07:32] <twb> Looking at ldap.conf(5), it seems that you cannot say "always use starttls".  You can either set an ldaps://... URI, in which case it uses tcp/636, or you can make sure the *app* issues a starttls by configuring the app.
[07:33] <twb> FWIW I just use ldaps, although the #openldap people didn't seem to like that
[07:33] <blendedbychris> ya
[07:33] <blendedbychris> everything i read it's "dated"
[07:33] <blendedbychris> whatever
[07:34] <blendedbychris> twb: i'm basing that conclusion on php manual i guess…. it mentions openldap
[07:35] <twb> http://paste.debian.net/160386/ is what my ldap.conf looks like; I symlink /etc/ldap.conf and /etc/ldap/ldap.conf together; the #openldap people hate that, too.
[07:35] <twb> Note that "ldap" resolves to my LDAP server, which listens on 636/tcp, and cyber.pem is my CA cert
[07:36] <blendedbychris> righto
[07:36] <blendedbychris> either way though i just need to ask for a the ca cert for ldap and an account to do queries
[07:37] <twb> IMO your first step is to make sure 636 is open
[07:37] <blendedbychris> why? i don't care to use ldaps i just want to use starttls
[07:37] <twb> 18:32 <twb> Looking at ldap.conf(5), it seems that you cannot say "always use starttls".  You can either set an ldaps://... URI, in which case it uses tcp/636, or you can make sure the *app* issues a starttls by configuring the app.
[07:38] <blendedbychris> hrm
[07:38] <blendedbychris> i see what you are saying
[07:38] <blendedbychris> the server needs to force starttls
[07:38] <twb> If you want to use starttls specifically, rather than "I want the traffic encrypted", then you'll need to ask #php for help
[07:38] <blendedbychris> imho
[07:38] <twb> blendedbychris: if the ldap server only allows starttls, then you'd have a non-working system AFAICT
[07:39] <blendedbychris> indeed
[07:39] <twb> The starttls request is issued by the client side
[07:39] <blendedbychris> i should have a non-working system because the system that is working is working in such a way that it shouldn't :)
[07:40] <twb> Either the libldap to use 636 which implicitly forces TLS, or ask #php or whatever how to force starttls
[07:40] <blendedbychris> okay…
[07:40] <blendedbychris> thanks… you have gone above and beyond my desired wishes
[07:41] <twb> Er, s/the/tell/
[07:41] <twb> Be grateful they don't want SPNEGO
[07:58] <sabgenton> if I install a dependency with dpkg -s bladep.deb then run apt-get install thing_that_needs_that_dep
[07:58] <sabgenton> will it pick up bladep?
[08:12] <twb> sabgenton: use apt, not dpkg
[08:12] <sabgenton> twb: dude the very reason I'm asking this is for times when my package isn't in a repository
[08:13] <twb> You should tell your vendor to fix that
[08:13] <sabgenton> twb: or are you saying I can use apt on a .deb?
[08:15] <sabgenton> twb: I very much dought ubuntu is going to repo every thing I ask for
[08:16] <twb> If some random crack-head makes a .deb and doesn't know how to put it in an apt repo, it is probably not a good deb for you to install.
[08:19] <sabgenton> I think that's a bit rude to call someone who doesn't use debian or ubuntu a crack-head
[08:19] <twb> I'm not interested in your opinions.
[08:20] <sabgenton> twb: do I basicly have to make a PPA if I want a deb to be known to apt?
[08:20] <sabgenton> twb: sorry
[08:21] <greppy> sabgenton: not everyone is twb :) just because someone stuffs it into a repo doesn't magically make it better.
[08:21] <twb> sabgenton: this is a deb *you* made?
[08:21] <twb> greppy: better for the end users than gdebi, which will ignore Recommends and generally make a mess of things.
[08:22] <twb> greppy: but sure, putting it in apt won't make it better, but hopefully someone who knows how to do that, also knows how to use things like lintian
[08:23] <sabgenton> no I didn't make the .deb
[08:24] <sabgenton> and I don't really want to talk about one .deb  because I have had countless times where there's something I want to install that is a .deb but not in a repo
[08:24] <sabgenton> greppy: Is PPA the only way to make apt happy
[08:24] <sabgenton> ?
[08:24] <sabgenton> only decent way
[08:25] <twb> You shouldn't install such things because they're very likely to be crap quality and mess up your system
[08:25] <twb> webmin would be a textbook example; its deb has three critical errors and hundreds of minor errors
[08:26] <sabgenton> twb: even the deb in the ubuntu repos?
[08:26] <sabgenton> (webmins in the repos right)
[08:26] <twb> !webmin
[08:26] <sabgenton> heh ok
[08:27] <sabgenton> interesting did  not know that
[08:27] <sabgenton> twb: so say I do make my own private package then
[08:28] <sabgenton> And I don't want to upload it to ubuntus repo
[08:29] <sabgenton> whats the best way to get it working with apt's dependency knowlage?
[08:29] <twb> Probably sbuild or pdebuild and reprepro
[08:30] <sabgenton> twb: ok, which is more preferable out of  the two
[08:30] <twb> I haven't used sbuild before.
[08:31] <twb> I think pbuilder is "good enough"; sbuild is better but harder to get started with
[08:31] <sabgenton> wait do those tools just make .deb's
[08:31] <sabgenton> ?
[08:31] <sabgenton> I'm asking how to make apt aware of them
[08:34] <twb> That's what reprorepo does.  You upload .changes files to it using dcmd and it builds an apt repo
[08:34] <sabgenton> oh see
[08:35] <sabgenton> (sbuild or pdebuild) and reprepro
[08:35] <sabgenton> so the ones in paren's just make the package
[08:35] <twb> In a deterministic clean environment, yes.
[08:37] <sabgenton> twb: so with reprorepo I would make a repository on my localhost then just point /etc/apt/sources.list to it?
[08:38] <twb> Yes.
[08:40] <sabgenton> ok I guess I'll look at that
[08:41] <sabgenton> spose I was hoping there was an easy way to just make apt see a .dep in some sort of already made default repo on localhost
[08:54] <sabgenton> twb: thx for the help
[09:26] <lynxman> morning o/
[11:28] <jamespage> Daviey: rabbitmq
[11:29] <lynxman> jamespage: that's all needed to nag Daviey nowadays? :)
[11:29] <jamespage> lynxman:yep
[12:05] <Daviey> jamespage: yes, yes.. will do it today
[12:05] <Daviey> Sorry for being crap
[12:11] <jamespage> Daviey: no problemo
[12:11] <jamespage> Daviey, in all likelyhood I'm not sure its needs a FFe
[12:12] <jamespage> and we don't have to MIR the new packages...
[12:12] <ghatak> Looking for a lightweight monitoring ( preferably with history ) tool for a linux system. Don't want to use cactai/nagios etc. I want something that is quick and can monitor things like ( CPU, Memory, IO, Network ). Suggestion ?
[12:13] <iclebyte> ghatak, we use zabbix for this
[12:13] <ghatak> right let me checkzz thanks
[12:13] <iclebyte> just run a small agent on the remote host and let zabbix poll it. it stores historical data
[12:13] <iclebyte> we monitor about 40 hosts with it.
[12:13] <ghatak> rightoo
[12:25] <cloakable> Got my eye on a hifn hardware raid card for my server... would it benefit ubuntu server though?
[12:26] <jamespage> bencer_, all the zentyal source packages have now been accepted - they are just working their way through the binary NEW queue now
[12:27] <bencer_> jamespage: so the only thing needed to have them included is waiting the builders finish their work? :)
[12:27] <jamespage> bencer_, they have build but the new binary packages need to be accepted by the archive-admin's as well
[12:28] <bencer_> aha ok, cool
[12:28] <jamespage> bencer_, https://launchpad.net/ubuntu/precise/+queue
[12:28] <bencer_> jamespage: onces they hit the archive we should request the removal of ebox packages, right?
[12:29] <jamespage> bencer_, yes - I have a bug raised for that
[12:29]  * jamespage digs it out
[12:30] <jamespage> bencer_, bug 957109
[12:30] <jamespage> hmm - no bot today
[12:30] <jamespage> bencer_, https://bugs.launchpad.net/ubuntu/+source/ebox/+bug/957109
[12:31] <bencer_> jamespage: ok perfect
[13:35] <zul> Daviey: can we rethink the nova console patch...its causes the testsuite to fail because the fifo stuff doesnt exist in the buildd
[13:49] <Daviey> zul: that is new?
[13:49] <zul> Daviey: no
[13:49] <zul> Daviey: just frustrating
[13:55] <pabelanger> zul: I heard something about the Debian openstack team adding dbconfig-common support to nova and glance, do you know where that code lives? Or if it exists?
[13:56] <zul> pabelanger: http://anonscm.debian.org/gitweb/?p=openstack/$proj.git
[13:56] <zul> not swift though
[13:58] <pabelanger> Is the pkg-openstack team considered upstream for packaging or is ubuntu?
[14:02] <zul> pabelanger: for ubuntu we do our own packaging and we are kind of upstream as well
[14:02] <pabelanger> zul: I see, so we would never sync openstack from debian, is that safe to say?
[14:04] <zul> pabelanger: yes we had the packging done before them
[14:05] <pabelanger> zul: okay, I only ask because I have 2 reviews up for dbconfig-common support, but Debian has already added support.  The patches take 2 different approaches, so I'll just wait and see how we want to move forward
[14:06] <zul> pabelanger: yeah i just got back from vacation so its in the queue im not so sure about adding dbconfig-common support to nova at this late in the cycle though
[14:09] <pabelanger> Understood, I was likely to late to the game to get it merged upstream.  However, it does help with automated deployments. Worst case I'll have to package it locally
[14:10] <zul> pabelanger: ack
[14:42] <roaksoax> zul: do you have any examples that uses debconf questions for a 'select'?
[14:43] <zul> roaksoax: what do you mean?
[14:43] <roaksoax> zul: debconf questions that are of the type 'select'
[14:43] <zul> roaksoax: not off the top of my head
[14:43] <zul> postfix
[14:44] <roaksoax> zul: cool thanks
[15:02] <Daviey> jamespage: does the rabbitmq requested upload have a PPA?
[15:02] <Daviey> i'd ike to point it to another upstream project to validate it.
[15:28] <jamespage> Daviey: no - but it can have one
[15:36] <SpamapS> jamespage: whats the situation on rabbitmq? I know 2.7.1 regressed the start/stop behavior.. anything else? Did I hear that there was a FFE needed for something?
[15:36] <jamespage> SpamapS, lynxman did some work to fold in the current plugin packages that are universe to rabbitmq-core
[15:37] <jamespage> it creates NEW binary packages from rabbitmq-server source
[15:37] <jamespage> I fixed up the start/stop behaviour
[15:37] <jamespage> but thats about it
[15:39] <SpamapS> Ah ok
[15:39] <Daviey> SpamapS: in hope of getting it in today, if it works out ok
[15:39] <Daviey> jamespage: does it have Breaks / Replaces?
[15:40] <lynxman> Daviey: it does :)
[15:40] <jamespage> Daviey, yes it does
[15:42] <Daviey> lynxman: cool
[15:47] <bencer_> jamespage: how long do you think will take zentyal hit the archive? the seems that from the docs team doesn't want to merge the doc until the packages are not in the archive...
[15:48] <jamespage> bencer_, they should land in the next day or so - the AA's review periodically
[15:48] <bencer_> ok thanks
[15:49] <hallyn> gary_poster: do you prefer I use the old aufs option ('-t|--type'), or ('-U|--union') ?
[16:09] <Daviey> SpamapS: meeting?
[16:09] <Daviey> utlemming: meeting?
[16:13] <gary_poster> hallyn, sorry was lunching.  If -U does not take an argument, that makes sense to me.
[16:13] <gary_poster> -t is more future proof though, I suppose
[16:15] <gary_poster> IOW, hallyn, I don't have a string opinion.  I guess at this instant in time, I'd lean towards -t, preferring the future-proof argument.
[16:20] <hallyn> -U would take aufs or overlayfs
[16:20] <hallyn> just as -t did
[16:21] <hallyn> -U just seems to be more obvious :)  i was just wodnerng if anyone would be using -t in a script (from oneiric)
[16:23] <hallyn> gary_poster: ^
[16:31] <gary_poster> hallyn...not us, and this is a new script, so go with the more obvious choice
[16:31] <hallyn> ok
[16:36] <blendedbychris> i have a hyper-v server with a "synthetic" interface and a "legacy" interface i can't get the synthetic interface to show up
[16:36] <blendedbychris> any idea where to start ?
[16:36] <blendedbychris> supposedly this kernel has this driver
[16:42] <hallyn> jjohansen: to make /etc/apparmor.d/lxc/lxc-default be loaded at reboot, what should i do?
[16:42] <hallyn> (i'd have thought all files under /etc/apparmor.d just get loaded?)
[16:43] <jjohansen> hallyn: it should be unless its disabled.  Is there a link in /etc/apparmor.d/disabled ?
[16:43] <hallyn> nope
[16:43] <jjohansen> hallyn: you can test what gets auto load with /etc/init.d/apparmor restart
[16:43] <hallyn> even if it's under a subdir?
[16:44] <jjohansen> hallyn: oh. no subdirs aren't auto-loaded
[16:44] <hallyn> ah
[16:44] <hallyn> so what shall i do?
[16:44] <hallyn> can i make a list somewhere?
[16:45] <jjohansen> hrmmm, jdstrand^ what do you think the best way to approach is
[16:46] <hallyn> gary_poster: d'oh, my test kernel doesn't have aufs.  But I *think* lp:~serge-hallyn/ubuntu/precise/lxc/lxc-shutdownv2 should be enabling aufs for lxc-start-ephemeral.  (and at least doesn't break overlayfs ones)
[16:46] <jjohansen> hallyn: sorry when it comes to packaging and ubuntu init I still find stuff that surprises me, jdstrand and kees handled most of that stuff
[16:46] <hallyn> jjohansen: thanks
[16:47] <gary_poster> hallyn, cool, getting and looking
[16:47] <jjohansen> hallyn: there are a couple things that can be done that I can think of.  Drop a symlink in the top dir, drop an include dir in another profile file
[16:48] <jjohansen> hallyn: is lxc-start in the main dir?
[16:48] <hallyn> yes
[16:48] <jjohansen> you could drop an include at the end of the file
[16:48] <jjohansen> just include the directory
[16:48] <hallyn> jjohansen: i suppose i can just leave them in the main dir.  I just wanted to not pollute it too much
[16:48] <hallyn> ?
[16:48] <jjohansen> any file in the directory would get included
[16:49] <jjohansen> so you can drop files in as you want
[16:49] <hallyn> #include "lxc/" ?
[16:49] <jjohansen> yep
[16:49] <hallyn> thanks will try
[16:49] <jjohansen> make sure the include is outside of the profile, just stick it at the end of the file
[16:50] <jjohansen> oh, hrmm that may mean modifying the included profile file
[16:50] <jjohansen> slightly so that it doesn't include the global abstraction stuff again, that has been on my list to fix for awhile but has been low priority
[16:51] <memoryleak> hi
[16:51] <hallyn> jjohansen: yeah i just noticed it's complaining about redefs
[16:51] <hallyn> redefinitions
[16:52] <jjohansen> yeah
[16:52] <hallyn> just made it a new empty file with only the #include :)
[16:52] <hallyn> thanks, i'll stop taking your time (cause i want that getcon fix :)
[16:52] <jjohansen> that will work
[16:52] <jjohansen> :)
[16:55] <gary_poster> hallyn, looks good, and I confirmed that it works with -U aufs here.  The only issue I saw was because I already had another ephemeral running (because of the one-at-a-time aspect of lxc-wait).  I'll run it through some more tests later, but +1 from me.  Thank you!
[16:56] <hallyn> gary_poster: I may write a lxc-wait script to replace that
[16:56] <hallyn> I think I have to
[16:56] <gary_poster> that would be great, if sad that you have to do that
[17:00] <jdstrand> hallyn: sorry, did you get your question about policy loading during init answered?
[17:01] <blendedbychris> after  i install ubuntu-desktop how do i remote into the gui?
[17:03] <jdstrand> hallyn: well, in case not, if you are shipping an upstart job, you can look at avahi-daemon.conf for inspiration. eg add something like:
[17:03] <jdstrand> pre-start script
[17:03] <jdstrand>     /lib/init/apparmor-profile-load <subdir>/<profile>
[17:03] <jdstrand> end script
[17:04] <jdstrand> (note '<subdir>/<profile>' should not have '/etc/apparmor.d/' prepended
[17:04] <jdstrand> )
[17:09] <hallyn> jdstrand: what i'm doing right now is shipping a /etc/apparmor.d/lxc-containers which just has '#include <lxc>'.  It's working
[17:09] <smoser> utlemming, if you poke at the locale stuff... i think profile.d could be  made usable.
[17:09] <hallyn> jdstrand: if that's deemed less desirable, i'll change it, but it's working
[17:09] <utlemming> smoser: I've tested that profile.d code and it works
[17:10] <utlemming> smoser: even with the bash-isms, but yeah, I'll get that implement this week
[17:10] <jdstrand> hallyn: that would certainly work. it is a little odd in some ways, but is also nice in that anything else that gets dropped into /etc/apparmor.d/lxc will magically get loaded
[17:10] <hallyn> jdstrand: right - cool, thanks.
[17:11] <jdstrand> hallyn: can you paste the output of 'sudo aa-status' after having done that?
[17:11] <smoser> utlemming, well of course it will work in bash with bashisms.
[17:11] <smoser> but not if your shell is /bin/sh or zsh
[17:11] <smoser> profile.d probably has to be posix shell pure
[17:11] <hallyn> jdstrand: http://paste.ubuntu.com/892472/
[17:12] <jdstrand> hallyn: what are the contents of your /etc/apparmor.d/lxc directory?
[17:13] <hallyn> jdstrand: just /etc/apparmor.d/lxc/lxc-default right now
[17:13] <hallyn> (shipped with the package)
[17:13] <jdstrand> hallyn: and that has 'profile lxc-container-default ... {...}'?
[17:13] <hallyn> Recommendation in server guide will be to drop per-container profiles there if desired and manually load
[17:13] <hallyn> yes
[17:14] <jdstrand> hallyn: ok, so this will work. keep in mind that if containers start before the apparmor initscript is loaded, then things won't be confined
[17:14] <hallyn> jdstrand: actually they refuse to start then
[17:14] <jdstrand> hallyn: this is where the upstart job change would help
[17:15] <hallyn> jdstrand: lxc-start fails aa_change_profile() and bails
[17:15] <jdstrand> hallyn: ok, fair enough-- you might get a bug report about things failing to start
[17:15] <blendedbychris> i installed the package ubuntu-desktop … how can i remote access the gui?
[17:15] <blendedbychris> on server
[17:15] <blendedbychris> can i make it startx remotely?
[17:15] <hallyn> jdstrand: could be.  I'm open to changing it to try and autoload, but i don't want to complicate it at this stage
[17:16] <hallyn> jdstrand: i'm not sure where upstart job would help with new profiles...
[17:16] <jdstrand> hallyn: you could fix that condition by adjust lxc-start to load the policy (like we discussed before), or use the upstart snippet I gave above to load /etc/apparmor.d/lxc-containers
[17:16] <jdstrand> hallyn: (which would use your #include lxc trick)
[17:17] <hallyn> jdstrand: I've missed something
[17:17] <jdstrand> hallyn: ok, the upstart job has:
[17:17] <jdstrand> pre-start script
[17:17] <jdstrand>     /lib/init/apparmor-profile-load lxc-containers
[17:17] <jdstrand> end script
[17:17] <jdstrand> /etc/apparmor.d/lxc-containers contains:
[17:18] <jdstrand> #include <lxc>
[17:18] <hallyn> but lxc-containers gets loaded at start anyway... what does it gain to have it in upstart job?
[17:18] <hallyn> (being dense, not on purpose)
[17:18] <jdstrand> this has the benefit of loading whatever is in /etc/apparmor.d/lxc (like now), and you can make sure in the job that it gets started before something that uses lxc-start
[17:19] <hallyn> oh, cause there's no guarantee when /etc/init.d/apparmor runs?
[17:19] <jdstrand> hallyn: yes
[17:19] <hallyn> got it, thanks
[17:19] <jdstrand> it runs in rc 2
[17:20] <jdstrand> hallyn: anyhoo, food for thought. I'll let you decide what you want to do with all this info :)
[17:20] <hallyn> jdstrand: thanks.  I'll do that.  And like I say I do want to add attempts to laod policy if transition fails, but only after getcon issues are fixed.
[17:20] <hallyn> jdstrand: thanks, ttyl
[17:21] <jdstrand> hallyn: oh, one last thing: I suggest adding a clear comment in /etc/apparmor.d/lxc-containers as to what it is doing and why, so people know what is happening and aren't tempted to edit it
[17:22] <hallyn> good point.  will do
[17:23] <newbchessplayer> i installed ubuntu server but cant get a gui working
[17:23] <newbchessplayer> i apt-get'ed gnome-shell
[17:28] <JanC> newbchessplayer: you probably also want a DM etc.
[17:29] <JanC> and Xorg, of course
[17:29] <JanC> newbchessplayer: but I suppose it's easier to install a regular desktop if you are new to this
[17:29] <newbchessplayer> dm?
[17:29] <JanC> something like XDM, GDM, LightDM, KDM, ...
[17:30] <newbchessplayer> what are they
[17:30] <JanC> they provide the graphical login screen etc.
[17:31] <newbchessplayer> yes that's what i need
[17:31] <JanC> but like I said: better install a desktop
[17:31] <newbchessplayer> ok
[17:31] <JanC> then you get all that out of the box
[17:32] <JanC> alternatively, there are several *-desktop metapackages that will install all you need for that particular desktop
[17:33] <newbchessplayer> what is fd0 read error?
[17:35] <newbchessplayer> floppy error
[18:05] <kamal> Hi cloud people ...   I've been getting experimenting with EC2 for a week or so, and I have a couple of technical questions about the "guest" AMI's that Canonical provides.  Are the folks who construct those AMI's here perchance?
[18:05] <utlemming> kamal: yup...how can I lead you astray?
[18:06] <kamal> quite easily, I'm sure ....
[18:06] <kamal> first question:   why is grub-pc even installed on the EC2 images?   it looks to me like the only grub package EC2 actually needs/uses is grub-legacy-ec2
[18:07] <utlemming> kamal: correct. Even though the images in EC2 don't use the grub packages, the images that are generated can be downloaded from http://cloud-images.ubuntu.com and used in KVM, OpenStack and other virtual solutions. We try to produce generic images that are suitable for use on as many clouds as possiable.
[18:08] <kamal> utlemming: ok, got it
[18:08] <kamal> second question (maybe the same answer) ...   why do the EC2 images run getty's on tty[1-6]?
[18:09] <utlemming> kamal: same reason...for general use else where
[18:11] <kamal> utlemming: ok, makes sense.   last one (maybe ;-)....    Do we provide a "super-minimal" cloud image?   (I've constructed my own, but I'm curious).
[18:12] <utlemming> kamal: what do you mean by super-minimial? The images are built from the ubuntu-minimial and server patterns with the cloud-init packages put on to make them useable.
[18:17] <kamal> utlemming: I guess I mean an image which includes the very smallest set of packages that can be useful on a cloud-hosted VM.   (I don't know anything about "ubuntu-minimal" or "patterns").   Even cloud-init isn't really *necessary* to construct a VM...
[18:17] <kamal> I.e. I have constructed a working (key-preinstalled) ubuntu EC2 AMI with just "debootstrap --variant=minbase" plus {linux-image-virtual, grub-legacy-ec2, isc-dhcp-client, openssh-server}
[18:18] <kamal> utlemming: so I guess I mean:  do we (should we?) provide something like ^^^ that as a "minimal AMI"
[18:19] <utlemming> kamal: the reason we don't, is because there are problem with super-minimial images like that, in the respect that we need to provide enough tools to get the image workable. Cloud-init is a python package that handles on-boot customization, injects the keys, etc.
[18:19] <utlemming> kamal: what is the impitious for asking?
[18:20] <cwillu_at_work> kamal, if you need something stripped down, you're best of doing the stripping yourself
[18:21] <cwillu_at_work> there will always be something vital for you that somebody else doesn't ever use, and something they consider vital that you'd never touch
[18:21] <cwillu_at_work> alternatively:  "Yes: the super minimal package is 'linux-image-3.3.0'"
[18:22] <cwillu_at_work> anything else you'd want, you can get from an initramfs you pull in over tftp
[18:23] <kamal> utlemming: ok, I understand that such an image wouldn't be interesting as a "cloud guest" image.   my goal is to construct a lean-mean image to use as a compute-slave, and I want to avoid wasting precious microseconds or megabytes with unneeded pkgs or processes.
[18:23] <cwillu_at_work> kamal, did you read what I just wrote? :p
[18:25] <utlemming> kamal: smoser has a project called cirros that is stripped down cloud images (https://code.launchpad.net/~smoser/cirros/trunk)
[18:25] <kamal> cwillu_at_work: yup, but wanted to answer utlemming's question :-).    I understand your advice also, thanks.   Note that I'm not trying to construct an image which contains *any* packages that are "vital to me" though ...   I'm interested in the set of packages that are "vital to boot".
[18:25] <cwillu_at_work> and what I said still applies
[18:27] <kamal> ah, smoser's project does appear to be about what I'm talking about
[18:27] <smoser> its not ubuntu.
[18:27] <smoser> its buildroot (uclibc)
[18:27] <kamal> smoser: well, I guess its at least the concept of what I'm talking about :-)
[18:28] <smoser> i'm curious why you're so interested in lean
[18:28] <kamal> smoser: because: why waste RAM and time with e.g. getty's?
[18:29] <smoser> you can probably stop them
[18:30] <smoser> for i in 1 2 3 4 5 6; do sudo stop $i; done
[18:30] <kamal> smoser: sure, but why start them at all?
[18:30] <smoser> in the end, anything that is wasting memory should be able to be turned off.
[18:30] <smoser> so then you're just wasting disk spae
[18:30] <smoser> space
[18:31] <smoser> i just find it a lot of effort for a little gain.
[18:32] <smoser> and if you really wanted to, you could supply cloud-init data that would not start those ttys
[18:32] <smoser> yes... then you'd pay the cost of code running to disbable them.
[18:34] <kamal> smoser: yup, *now* you're getting on my wavelength ;-)   If I'm constructing an image for a dedicated compute-slave, which I'll run many many instances of,  I think it makes much more sense to just leave unwanted stuff out of the image, as opposed to wasting the time/space to turn it off at boot.
[18:36] <kamal> the effort will be a one-time operation, but the gain will be multiplied by the N times the instance will be run.   So I see lots of potential gain to optimizing there.
[18:36] <smoser> kamal, you're just simply going to spend a lot of time optimizing something and fixing bugs and pulling hair.
[18:36] <smoser> nothing is a one time operation.
[18:39] <kamal> smoser: well I guess I still have a bit of hair left to pull, so that sounds about right ;-)
[18:39] <kamal> anyway, utlemming, cwillu_at_work, smoser ...  thanks for the answers and advice.  I'll know where to come for further questions!  :-)
[18:39] <smoser> well, if your systems spend most of their life starting and stopping, then you probably have some optimizations you can make.
[18:39] <smoser> if, however, you like to do other things than boot
[18:40] <smoser> then your % of time spent booting goes down quickly.
[18:40] <smoser> yes, 10 second boot on a laptop is nice, but if uptime is measured in days, 20 seconds wasn't so bad.
[18:40] <smoser> but anyway.
[18:41] <kamal> smoser: I imagine that for my application, the uptime of each system will be exactly 59 minutes (one EC2 time-chunk)
[18:42] <kamal> I haven't clocked anything, but I even wondered if maybe t1.micro CPU throttling might kick in *during* the boot process, such that it would actually be even more useful to strip down useless CPU-intensive stuff at boot.
[18:42] <smoser> well, then, you've given yourself a fairly good target for optimization:
[18:42] <kamal> (again, my only experience with cloud stuff *at all* is about 1 week playing with EC2)
[18:42] <smoser>  (60 * 59 - 20) / (60 * 59) = .9943
[18:43] <smoser> so if you save 20 seconds in boot, you'll gain .005% cpu utilization
[18:43] <smoser> and i surely hope you can't save 20 seconds at goot
[18:44] <smoser> err... sorry . bad math. that is .5%
[18:47] <blendedbychris> which vnc server do i use if i want to allow windows users to use something like tightvnc to see the login screen?
[18:47] <blendedbychris> and login as their respective user
[18:48] <kamal> smoser: .5% is not entirely insignificant, I think, but its good to quantify it.   maybe I'll run an actual boot speed test and really see if it makes even that much difference.  again, thanks very much for the advice, this was a very useful discussion for me.
[18:50] <smoser> kamal, if you're interested in maximizing usefulness of time/$
[18:50] <smoser> then you will want tofind out the answer to something i have never figured out
[18:50] <smoser> (or never bothered to)
[18:50] <smoser> when does the clock start for your 60*60 on amazon
[18:50] <smoser> i suspect it starts when your request comes in, and they start doing IO on your part on their nodes.
[18:51] <smoser> you start booting at some point later
[18:51] <smoser> so that provisioning time is cost
[18:53] <kamal> smoser: I imagined that the clock started at moment that the instance goes from "pending" to "running" ...  it wouldn't be fair for them to charge you for provisioning time, imho.   I'll find out.
[18:53] <smoser> its easy to thikn that is no fair
[18:53] <kamal> yup
[18:53] <smoser> but in another sense it is
[18:53] <smoser> you're using their IO
[18:53] <smoser> or, rather, they're doing IO on your request
[18:53] <kamal> no, *they* are using their IO
[18:53] <kamal> yup.
[18:53] <smoser> why should you get free IO ?
[18:54] <kamal> imho, they charge me to "run the image".   if their systems are slow and it takes them a long time to get my image to the "running" state, thats their problem, not mine (I can't do anything about it).   As opposed to:  if my system *boots* slow, then its my problem.   Again, this is just *my* thinking.  :-)
[18:57] <kamal> http://aws.amazon.com/ec2/faqs/#What_defines_billable_EC2_instance_hours   ::   Instance-hours are billed for any time your instances are in a “running” state.
[18:57] <kamal> smoser: ^^
[18:59] <smoser> ah.
[18:59] <smoser> well thats interesting.
[18:59] <smoser> but i dont know how you can get that.
[19:00] <blendedbychris> no one?
[19:00] <blendedbychris> is there not a vnc server app that works more like remote desktop?
[19:01] <smoser> kamal, http://paste.ubuntu.com/892613/
[19:01] <kamal> smoser: ec2-describe-instances shows a timestamp which I bet is the start time
[19:01] <kamal> hahaha
[19:01] <smoser> it is not
[19:01] <smoser> it is the request time
[19:01] <smoser> (as shown in that paste)
[19:02] <kamal> smoser: hmmm... curious.  why do I care what my request time was?   :-/
[19:02] <smoser> because its the billing start time :)
[19:03] <kamal> smoser: not per that FAQ though
[19:03] <smoser> yeah. i dont know.
[19:07] <cloakable> Anyone know how to combine fail2ban with remote logging?
[19:10] <Pici> cloakable: fail2ban appears to support logging to syslog, so you should be able to work with it from there.
[19:11] <cloakable> Yeah, but it wants to watch a logfile. Which presumably means running on the server accepting the logs.
[19:12] <cloakable> Which as far as I can tell with default configuration, means that someone trying to bruteforce my gateway will get banned on the logging server. Not useful.
[19:16] <cloakable> I suppose mounting the remote directory via nfs might work
[19:28] <maxagaz> hi
[19:29] <maxagaz> md5sum returns the md5 following by the file name, why not only the md5 ?
[19:30] <maxagaz> md5sum, is there some option to get only the md5, or only awk, cut... ?
[19:32] <bluefrog> md5sum without the name of the file in a list is pretty useless
[19:33] <marcoceppi> maxagaz: there isn't, in the ch_get_file method, when it calculates md5 sum it does md5sum <file> | awk '{ print $1}'
[20:07] <zul> SpamapS: ping what do you think about https://bugs.launchpad.net/bugs/959426 (note we dont use mysql by default)
[20:08] <SpamapS> zul: the age old problem. ;)
[20:09] <SpamapS> zul: these services should probably be more resilient to the database being unavailable and retry a few times.
[20:09] <zul> SpamapS: right but the upstart scripts for nova doesnt assumed that mysql is installed
[20:10] <SpamapS> zul: the upstart jobs are doing the right thing. Ignore the "on the same machine" bit. What if your data center goes down all at once? When you come back up.. you shouldn't have to remember what order to boot machines.
[20:10] <zul> right
[20:10] <SpamapS> we likely start mysqld and glance and nova all at the same time, on runlevel 2
[20:11] <zul> ok i can accept that
[20:21] <maxagaz> marcoceppi, ok, thanks
[20:28] <maxagaz> how to echo a tab ?
[20:29] <maxagaz> echo -e "a\tb"
[20:44] <guampa> someone knows if postfix *_queue_lifetime can be tuned for specific smtp errors? I would want to set 2 days max for smtp 450 (mailbox unavailable)
[20:53] <gary_poster> hallyn, will lxc cause top to be confused about active processes in the container?  I didn't expect so, but I'm seeing unexpected behavior (which may well be from other sources) that reports that only one process is active and the rest are idle.  I have one active process in the host, but should have ~16 from 8 containers.  my cpu usage info is also very low, according to top (>99% idle).  Is any of this explainable
[20:53] <gary_poster>  with lxc, or should I look elsewhere?
[20:54] <gary_poster> note that the container's processes are listed in top, it's just that are not shown as doing much
[21:51] <soren> Daviey: Expect a keystoneconfig-common to appear out of nowhere soon. Should make integrating packages with Keystone a breeze.
[21:56] <Daviey> soren: that is awesome!!
[21:56] <Daviey> soren: Likely before Thurs?
[21:58] <soren> Daviey: It's almost done. I expect to finish testing it tomorrow.
[21:58] <soren> Daviey: There's probably half a million things I haven't thought about, but the other 27 things I did think about should be covered.