[00:10] <adam_g> hallyn: http://paste.ubuntu.com/894479
[00:10] <adam_g> hallyn: any ideas?
[00:16] <adam_g> Daviey: http://paste.ubuntu.com/894473/ that testing override look reasonable?
[00:22] <hallyn> adam_g: no, that shouldn't be happening...
[00:22] <hallyn> Daviey: bug 891232
[00:23] <hallyn> adam_g: is your system uptodate?  i'll try a fresh instance...
[00:23] <hallyn> adam_g: unless you have other files under /etc/apparmor.d/lxc that you created...
[00:24] <adam_g> hallyn: strange, this happened on one of the CI nodes, the same version installed fine across all of the other nodes, though.
[00:24] <hallyn> adam_g: disconcerting
[00:24] <hallyn> are they all using hte same mirror?
[00:24] <adam_g> i know juju is the one installing lxc, wonder if its doing anything strange
[00:25] <Daviey> hallyn: ok, thanks.. i bumped the status back, which makes it show on the tracking page
[00:26] <Daviey> adam_g: looks good, not tested it.. It's a shame there isn't a helper in the upstream src
[00:26] <hallyn> adam_g: is that instance still up?
[00:27] <hallyn> adam_g: if so, can you pastebin /etc/apparmor.d/lxc-container and /etc/apparmor.d/* ?
[00:28] <adam_g> hallyn: sure one sec
[00:29] <adam_g> Daviey: cool. seems to work just fine with jenkins builds
[00:29] <hallyn> i've gotta run out actually, backin awhile
[00:31] <Daviey> hallyn: o/
[00:35] <adam_g> hallyn: gonna tear down and redeploy, see if its a fluke. here is /etc/apparmor.d/ for you if interested, http://people.canonical.com/~agandelman/apparmor.tar
[01:00] <hallyn> adam_g: thx
[01:02] <hallyn> adam_g: really if it happens again, probably best to file a bug against lxc and mark it as also affecting apparmor (bc the files look fine, so it sounds like a transient error in the apparmor_parser)
[01:03] <adam_g> hallyn: ill keep an eye out for it, so far so good
[01:06] <stgraber> hallyn: http://people.canonical.com/~ubuntu-archive/livefs-build-logs/precise/edubuntu-dvd/20120322/livecd-20120322-i386.out
[01:06] <stgraber> hallyn: Edubuntu DVD build failed because of the new lxc's postinst
[01:07] <stgraber> hallyn: http://paste.ubuntu.com/894524/ is the important part
[01:09] <hallyn> stgraber: so apparmor is installed but not active?  why couldn't it find the fs?
[01:09] <hallyn> maybe i'm supposed to use /lib/init/apparmor-profile-load
[01:10] <hallyn> jdstrand: in a postinst, should i be using /lib/init/apparmor-profile-load in place of apparmor_parser?
[01:10] <hallyn> jjohansen: ^
[01:11] <stgraber> hallyn: well, that's in a live-build environment so a chroot in a chroot on an older kernel :)
[01:12] <stgraber> hallyn: apparmor is indeed insalled in that chroot but certainly doesn't match the version in the kernel (probably 2.6.24) and no services are running as it's a chroot using policy-rc.d to prevent anything from starting
[01:12] <stgraber> so not your everyday use case except it's what we have on the CD builders and so it needs fixing before we can get dailies again :)
[01:13] <hallyn> stgraber: using apparmor-profile-load would check for the fs, but not kernel compatibility.  so not sure that'd be 100% fix
[01:13] <hallyn> will push a fix as soon as i get guidance :)
[01:14] <hallyn> stgraber: open a bug?
[01:14] <hallyn> note i won't be in tomorrow
[01:15] <hallyn> ah
[01:15] <hallyn> maybe i can check /sys/kernel/security/apparmor/features/mount/
[01:15] <hallyn> stgraber: is it possible for you to walk into such a chroot and see if /sys/kernel/security/apparmor/features/mount/ exists ?
[01:16] <stgraber> hallyn: no, these builds run on a livefs builder in the DC and are flushed immediately when they fail
[01:16] <hallyn> stgraber: will they try to build+run a container?
[01:17] <stgraber> hallyn: I'll have a quick look through the log to see if I can find some information on /sys/kernel/security/apparmor/features/mount/
[01:18] <stgraber> hallyn: my guess is that nothing in /proc or /sys is mounted
[01:19] <hallyn> stgraber: ok i'll do the checks by hand.  i also will update lxc-start bc i suspect it'll break you as well.
[01:19] <stgraber> hallyn: hmm, actually based on the logs /proc and /sys are mounted, no mention of securityfs though, so probably not mounted (unless some packages do it)
[01:31] <hallyn> stgraber: http://paste.ubuntu.com/894544/ is for the postinst part
[01:31] <hallyn> I'm going to add a patch to start.c before pushing
[01:32] <hallyn> stgraber: opinion q
[01:33] <hallyn> stgraber: if a transition to container polciy fails, should we just ignore it?
[01:33] <hallyn> ah
[01:36] <stgraber> hallyn: the problem isn't "on livecd" it's "on the livecd builder"
[01:36] <stgraber> hallyn: I think running lxc on the livecd will probably work fine
[01:37] <hallyn> stgraber: the reason i'm worried is that it *looks* as though apparmor policies don'et get loaded on livecd
[01:37] <hallyn> (look at /lib/init/apparmor-profile-load)
[01:38] <hallyn> soi want to quickly check, before we start loading the container, if apparmor module is loaded and we're in lxc-start profile, and skip the transition if not
[01:38] <stgraber> hallyn: ah, indeed, I guess no apparmor in the live environment was to make things faster
[01:39] <hallyn> well ok maybe i should push this fix, so you can get it built, and then we can fix lxc-on-livecd next (and try to do it properly)
[01:39] <stgraber> hallyn: running /lib/init/apparmor-profile-load would make sense as we'd avoid some code duplication in the process, unless it's bad to do that for some reason
[01:39] <hallyn> it still doesn't check for mount support, so it's not really enough
[01:40] <hallyn> inf act i guess the upstart job should be fixed to check for that too
[01:41] <hallyn> oh, but we can't
[01:41] <hallyn> can't be sure securityfs is mounted
[01:45] <hallyn> stgraber: heh i was being dense.  so yes switching to that, as per http://paste.ubuntu.com/894559/
[01:47] <stgraber> hallyn: looks good
[01:53] <jjohansen> hallyn: hrmm I honestly don't know, I will have to defer to jdstrand, I still haven't dug into the debian packaging end of things. Its one of those perpetual I look at it this cycle ... things
[01:54] <hallyn> jjohansen: I'm feeling pretty good about the patch i'm whipping up :)
[01:54] <hallyn> jjohansen: will you be around in a few mins to proofread?
[01:55] <jjohansen> hallyn, stgraber: apparmor was pulled from the livecd environment ages ago because of unionfs issues actutally, and it was never reinstated because it wasn't considered to be important there
[01:55] <jjohansen> hallyn: yeah I'll be around, I just got back from dinner
[01:55] <hallyn> jjohansen: that's funny, bc i thought it was a regression when overlayfs didn't work with it.  But now I see why it was never found :)  good good
[01:57] <jjohansen> hallyn: actually it is a regression, it works with aufs, and unionfs.  I know why its not working with overlayfs but get a proper fix (not attach_disconnected) just isn't going to happen this cycle.
[01:58] <jjohansen> the unionfs bug is back when I was at Novell and Ubuntu tried switching to unionfs 2.1 instead of 1.4, it was buggy and crashed and they endup pull AA to try fixing it and then reverting to unionfs 1.4 in the end but not restoring AA
[01:58] <hallyn> jjohansen: oh noes.  what the heck do the contents of /sys/modules/apparmor/enabled mean?
[01:59] <hallyn> why is it 10 instead of 1
[02:00] <jjohansen> hallyn: 10? It should be Y
[02:00] <hallyn> hmm, when i read it as %c it's 'm'
[02:00] <hallyn> gah
[02:01] <hallyn> sorry.  my bad
[02:04] <hallyn> runlevel 2 is entered AFTER rc-sysinit right?
[02:10] <hallyn> jjohansen: http://paste.ubuntu.com/894576/  is what I'm looking at...
[02:10] <hallyn> jjohansen: pls critique :)
[02:11] <twb> SYSF sounds like its missing an -S
[02:12] <hallyn> oh is that why it looked funny :)
[02:12] <twb> Why are you binding it to a variable if you only evaluate the variable once?
 to keep the condition easy to read?
[02:12] <hallyn> and under 80 cols
[02:12] <hallyn> over-conditioned
[02:13] <twb> I have a coworker who does things like
[02:13] <twb> PATH_TO_ETC_EXPORTS=/etc/exports
[02:14] <hallyn> :)
[02:14] <twb> FWIW, type is not SUS portable, nor is which.  But Debian is (AFAIK) guaranteed to have both.  I would generally use which on Debian because that seems to be the convention.
[02:14] <hallyn> i suppose if it's going to be dereference tons of times...
[02:14] <twb> (I'm assuming the postinst is #!/bin/sh and not #!/bin/bash
[02:15] <hallyn> twb: oh, i always used which in the past,
[02:15] <twb> It's merely a style issue
[02:15] <hallyn> then saw type, and thought "huh, must be som ereason they're using that"
[02:16] <twb> If the existing code is already using type you might as well keep to that convention
[02:17] <twb> Typo:  94 ++              INFO("apparmor not emabled");
[02:17] <hallyn> d'oh, landed my var decl inside a long #else
[02:17] <hallyn> thanks
[02:17] <twb> Does this affect both lxc-start and lxc-exec?  And if so, does it DTRT for both cases?
[02:18] <twb> (I'm looking at the patch part but it's beyond my expertise.)
[02:21] <hallyn> twb: they both use lxc_start() from start.c.  so it should, and seems to be here
[02:26] <jjohansen> hallyn: twb has caught more things than I did
[02:26] <hallyn> twb: ah, but, it doesn't
[02:26] <hallyn> the lxc-init wants to mount /proc and /sys.  it's not allowed to
[02:27] <jjohansen> hallyn: there is an  aa_is_enabled fn if you want, but your rolling your own is fine
[02:27] <twb> I WIN
[02:28] <hallyn> jjohansen: d'oh!  i looked for a manpage but couldn't find anything like that
[02:28] <twb> paranoia strikes again
[02:28] <hallyn> guess i only tried aa_enabled
[02:28] <hallyn> jjohansen: i trust aa_is_enabled would be more robust?
[02:28] <jjohansen> hallyn: hrmm, sorry they really should be bread crumbs between the different man pages but that one seems to be missing
[02:29] <hallyn> right i looked for 'see also' in the others :)
[02:29] <jjohansen> hallyn: heh, it does much the same thing but includes a search of mount points in case things get mounted else where
[02:30] <hallyn> how often do they get mounted elsewhere?
[02:30] <hallyn> my inclination is, if they're mounted elsewhere, we want to disable aa for containers... but not sure
[02:30] <jjohansen> but I think most of the scripts would break if things weren't mounted at /sys
[02:30] <jjohansen> hallyn: call it a hold over from by gone times before securityfs
[02:31] <jjohansen> hallyn: like I said rolling your own is fine
[02:31] <jjohansen> I really don't see a need to change it
[02:32] <jjohansen> hallyn: I guess it does let you detect a little more about how/why apparmor is disabled
[02:32] <jjohansen> eg. available but disabled at boot
[02:32] <hallyn> stgraber: I really think we'll want to allow containers to mount proc ->/proc and sys -> /sys just to reduce # of complaints
[02:33] <stgraber> hallyn: yeah, I didn't do it because it worked without it
[02:33] <stgraber> hallyn: but it's safe to allow so no problem with that
[02:34] <hallyn> stgraber: the only reason i'm hesitating is they'll just want to mount devpts next (and that they cant)
[02:35] <stgraber> hallyn: you could add a generic "deny mount fstype=devpts," with a comment explaining why we never want it
[02:35] <hallyn> all right i'm adding it
[02:35] <hallyn> good idea (long as it doesn't confuse apparmor)
[02:35] <stgraber> it'll silence anything trying to do it and if they look at the profile they'll see why
[02:35] <jjohansen> stgraber, hallyn: so I working through the fixes for change_onexec, and the deny mount bug.  They should be in tomorrows up load
[02:36] <stgraber> jjohansen: great, thanks!
[02:36] <jjohansen> hallyn: as well as the getcon fixes I have
[02:37] <jjohansen> stgraber: there is a small syntactic change to the mount rules
[02:37] <stgraber> jjohansen: ah?
[02:37] <jjohansen> the options bit is picking up another keyword
[02:37] <hallyn> wait - what is the deny mount bug?
[02:38] <hallyn> will i hit it if i'm adding 'deny mount fstype=devpts" ?
[02:38] <stgraber> hallyn: "deny mount..." won't match with the current apparmor
[02:38] <jjohansen> hallyn: it doesn't always result in the correct denial at the moment, depending on the options being set
[02:38] <hallyn> will it deny a different mount potentially, or just not deny it?
[02:38] <hallyn> the latter's ok, the former is bad :)
[02:38] <stgraber> not that I could see
[02:39] <jjohansen> hallyn: no that should not cause a problem
[02:39] <hallyn> cool
[02:39] <hallyn> ok, testing http://people.canonical.com/~serge/debdiff
[02:39] <jjohansen> stgraber: so you can do option=(X, Y) that means this rule requires those options be set to match
[02:39] <jjohansen> and you can do
[02:40] <jjohansen>   options in (X, Y)
[02:40] <jjohansen> meaning any of the options can be set
[02:40] <hallyn> i dn't envy the person who's going to document that :)
[02:41] <jjohansen> heh, no. Its ugly, we kicked around a lot of different ways to express it, and decided that with the current time frame ...
[02:42] <stgraber> jjohansen: oh, that's nice, the "options in (a, b)" will definitely be useful for stuff like devpts
[02:43] <jjohansen> stgraber: yeah, it has its uses
[02:43] <jjohansen> especially around writing deny mount options in (X, Y, Z)
[02:44] <jjohansen> hallyn, stgraber: we will be looking at revising the syntax for the next release, so any improvements you can think of are more than welcome
[02:44] <hallyn> pls keep me posted if it's going to require lxc chagnes to keep up :)
[02:45] <hallyn> d'oh.  stgraber: another thing occurred to me- would be good to get apport info into lxc
[02:45] <jjohansen> hallyn: we plan to keep it backwards compatible, so changes should not be required but if you have something you would like I would like to hear about it
[02:46] <jjohansen> the current syntax is an uncomfortable compromise
[02:50] <hallyn> will think about it, thanks
[02:50] <hallyn> (long drive tomororw, time to think :)
[02:50] <hallyn> ok i think i'm pushing
[02:51] <stgraber> debdiff looked good, didn't look the C change too closely though but I'm sure you tested it so it probably won't be any worse at least ;)
[02:52] <hallyn> and *that* should be my last upload before this freeze :)
[02:53] <hallyn> now i can go back to fretting over how brittle libvirt and qemu feel
[02:54] <stgraber> I'll do some LXC tests tomorrow now that the installer sprint is over, if I find something broken I'll fix it
[02:55] <hallyn> great, thanks
[02:55] <hallyn> hm, so server guide string freeze is tomorrow
[02:55] <hallyn> so i have tonight to get in an update to the lxc section about apparmor
[02:56] <stgraber> lxc is only affected by beta2 freeze because it's part of Edubuntu but as I'm the product manager for Edubuntu I should be able to get something trough even post-freeze time if needed (as long as I have time to test the new images)
[02:56] <stgraber> I believe someone asked for a later freeze time of the server guide, hold on a sec I'll dig a link
[02:56] <hallyn> that'd be great
[02:57] <hallyn> (i suppose we can always just put that documentation on the wiki and integrate into server guide later)
[02:57] <stgraber> hallyn: https://lists.ubuntu.com/archives/ubuntu-release/2012-March/000991.html
[02:57] <hallyn> for middle-of-the-night driving, it helps staying awake to think through a paper or docs to write
[02:58] <hallyn> cool, thanks.  that also gives me time to review the libvirt part
[03:15] <hallyn> good night, see you all friday
[07:55] <smb> smoser, No, smb usually has no ideas after sensible working hours and even more on Wednesdays. ;)
[08:20] <koolhead11> hi all
[08:57] <Znow> Ive followed the guide on ubuntu, for setting up Samba fileshare - so I can map a drive on my windows machine to the ubuntu virtual machine. I can ping the ubuntu machine, but cant map the drive, it says network error. does the ubuntu virtual machine need a static ip address for this?
[08:59] <uksysadmin> hey guys
[08:59] <uksysadmin> great work on openstack btw - I've got Ubuntu 12.04 running Essex: Nova, Glance, Keystone, Horizon and Swift
[08:59] <uksysadmin> wanted to make sure that your efforts are not going unnoticed
[09:03] <koolhead11> uksysadmin:  :D
[09:15] <ejv> openstack?
[09:16] <ejv> interesting
[09:18] <koolhead11> ejv: i was execting "O WAO" reaction TBH :)
[09:18] <koolhead11> *expecting
[09:23] <Znow> my top bar with menues wont show on 11.10???
[09:23] <Znow> how can I get it to show?
[09:24]  * koolhead11 points Znow to #ubuntu
[09:29] <thevinci> how do i install third party drivers from the command line in ubuntu server?
[09:29] <thevinci> I need my broadcom wireless driver to work
[09:36] <jamespage> morning all
[09:39] <ejv> sorry i haven't drank the cloud koolaid just yet koolhead11 ;)
[09:39] <koolhead11> ejv: :P
[09:49] <blizzkid> Hi all. might not be the most appropriate chan to ask in, but has the UCP programme been cancelled? I still find some info about it, but seems outdated...
[09:53] <jamespage> bencer_, binary packages just got accepted - should appear in the archive in the next couple of hours
[09:57] <rbasak> thevinci: the jockey-common package will give you a jockey-text command which I think is the equivalent of the GUI tool for proprietary drivers on the desktop, but I've never used it (I avoid that kind of hardware). That might be a starting point. Or you could do whatever jockey does manually - perhaps there's a package in the archive for your hardware?
[09:59] <lynxman> morning o/
[10:01] <jamespage> jodh, whats the recommended way to disable an upstart configuration these days?
[10:02] <jodh> jamespage: http://upstart.ubuntu.com/cookbook/#disabling-a-job-from-automatically-starting
[10:02] <jodh> jamespage: specifically, http://upstart.ubuntu.com/cookbook/#override-files
[10:02] <jamespage> jodh, was just reading that - thanks for the confirmation
[10:26] <jamespage> jodh, are you around for a question about wait-for-state?
[10:27] <jodh> jamespage: that's one of SpamapSs, but you can try :)
[10:31] <jamespage> jodh, OK - just let me frame my question
[10:35] <jamespage> jodh, actually I think I just answered by own question - I;m looking at a bug in the autofs startup
[10:38] <jodh> jamespage: ok. I've raised bug 962047 as wait-for-state needs to be documented both in a man page and the cookbook IMHO.
[10:38] <jamespage> jodh, I think by default wait-for-state waits for the 'started' event - which stops autofs restart if ypbind is installed and already running
[10:39] <jamespage> I think that if I target WAIT_STATE=running that should do the trick
[10:39] <freaky_> hi, i'm upgrading 8.04 lts to 10.04 lts (do-release-upgrade). It's near the end I think, it just restarted PowerDNS and now nothing is happening... haven't seen output in 10 mins or something any ideas?
[11:06] <uksysadmin> hello all
[11:07] <uksysadmin> I've just been in a meeting with some of our folks over RabbitMQ HA options... what is the best resource, person to have a chat to pick the brains on what we want to achieve?
[11:07]  * koolhead11 points uksysadmin to lynxman :P
[11:08]  * lynxman feels pointed at
[11:08]  * uksysadmin will get one of our guys to ping lynxman if he doesn't mind...
[11:09] <lynxman> uksysadmin: it's fine :)
[11:09] <uksysadmin> lynxman: best coming from them on what they want to set up, what they have setup and what challenges they came up against.
[11:09] <uksysadmin> they're not on irc atm, but I'll send them you're way when they are.
[11:10] <koolhead11> uksysadmin: BTW lynxman is in UK too.
[11:10]  * koolhead11 hides
[11:11] <uksysadmin> lol
[11:11] <uksysadmin> helps with timezones :)
[11:12] <lynxman> uksysadmin: it does ;)
[11:13]  * koolhead11 needs extra beer from lynxman when he meets 4 that
[11:19] <aljosa> anybody knows if there is a deb package for java 1.5 sdk available somewhere that can be used on ubuntu 12.04?
[11:20] <freaky_> is there any way to prevent apparmor from returning? Just ran a apt-get dist-upgrade and in reinstalled (and started) apparmor
[11:20] <freaky_> apparmor screws plesk over badly unfortunately
[12:08] <thevinci> I HATE BROADCOM DRIVERS!
[12:08] <thevinci> Can anyone help me figure out hoe to get my ubuntu server laptop connected to the wireless internet?
[12:09] <ikonia> thevinci: checkout the desktop guide, the process is the same
[12:09] <thevinci> from command line?
[12:10] <thevinci> I installed b43-fwcutter from the desktop cd
[12:10] <thevinci> but it's saying i need other firmware drivers that i can't find anywhere...
[12:18] <Daviey> uksysadmin: Glad to hear things are working out for you :)
[12:18] <Daviey> uksysadmin: I think some of the frustrations you have been feeling has been lack of doc's, meaning that often the wrong this has been done by the end user.
[12:18] <Daviey> Hopefully, by release - this will be easier.
[12:18] <ednolivers> hey all. does anyone know the recommended approach to upgrading apache in 10.04 LTS? i thought there'd be a backport but i can't find one
[12:19] <uksysadmin> Daviey: I think so too
[12:19] <uksysadmin> keystone -> redux didn't help
[12:21] <Daviey> uksysadmin: no.. that was more painful than we hoped.
[12:21] <Daviey> uksysadmin: It's so easy to go down ratholes with this :/
[12:21] <uksysadmin> Daviey: indeed!
[12:22] <uksysadmin> BUT - the upshot - OpenStack is alive and kicking on 12.04 - that's some achievement.
[12:22] <Daviey> uksysadmin: Great job!
[12:22] <Daviey> uksysadmin: What is your install method?
[12:23] <uksysadmin> closing eyes and praying
[12:23] <uksysadmin> ;-)
[12:24] <uksysadmin> at the mo - scripted apt-get installation
[12:24] <uksysadmin> hoping to get some Canonical love though for when we do this for real though
[12:24] <Daviey> uksysadmin: sounds great :)
[12:25] <Daviey> uksysadmin: Have you documented your workflow?
[12:26] <uksysadmin> if I was a developer, I'd say yes ;-) ... its work in progress
[12:26]  * uksysadmin goes to get free pizza
[12:27] <Daviey> uksysadmin: Can i have free pizza?
[12:28] <zul> Daviey: i saw the keystone ftbfs this morning once of the requirements is to have a working MIR however in order to test the keystone that failed you need to have swift installed and there is a fix for it proposed but it uses a git checkout to get swift
[12:28] <Daviey> zul: linky?
[12:29] <Daviey> to the MP
[12:29] <zul> just a sec
[12:29] <zul> https://review.openstack.org/#change,5595
[12:57] <smoser> kirkland, around ?
[12:58] <smoser> lynxman, ?
[13:02] <smoser> lynxman, well, when you see this..
[13:02] <smoser> http://bazaar.launchpad.net/~orchestra/orchestra/trunk/revision/61
[13:02] <smoser> that seems like you added the rsyslog stuff.
[13:02] <smoser> and i'm trying to move it to maas
[13:16] <zul> Daviey: so you dont like the polling?
[13:19] <Daviey> zul: if poll doesn't scale to the regularity of the baud of the serial console being reasonabnle to fill up the disk :)
[13:19] <Daviey> OTP btw
[13:19] <zul> Daviey: k so daemon then?
[13:20] <Daviey> smoser: http://bazaar.launchpad.net/~orchestra/orchestra/trunk/revision/61/monitoring-server/etc/rsyslog.d/99-orchestra.conf <-- dump to disk
[13:20] <smoser> Daviey, yes, i just had some questoins about that.
[13:20] <smoser> i'm thinking i'm not going to bother with gnutls at the moment.
[13:20] <smoser> its boot logging only
[13:20] <Daviey> smoser: agreed
[13:20] <smoser> so, mark this place in your irc history
[13:20] <smoser> so you can come back and blame me
[13:20] <smoser> :)
[13:20] <Daviey> :D
[13:21] <smoser> the thing htat sucks here.
[13:21] <smoser> i think we're baically going to open up a udb listening rsyslog server
[13:21] <smoser> udp
[13:21] <smoser> that will log whatever traffic anyone wants
[13:22] <smoser> and fill /var/log appropriately
[13:23] <Daviey> smoser: notice the paths?
[13:23] <Daviey> different files for each node
[13:23] <smoser> so?
[13:24] <smoser> different files for each attacker?
[13:24] <smoser> well thats convieneint
[13:24] <Daviey> smoser: make sure it's not dependant on hostname.. as it can chane easily.
[13:24] <Daviey> change*
[13:24] <Daviey> smoser: just pointing it out
[13:24] <smoser> not dependant on hostname ?
[13:24] <smoser> why?
[13:24] <smoser> its useful
[13:24] <smoser> i was just putting everything into
[13:24] <smoser>  /var/log/maas/rsyslog/OSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/messages
[13:25] <smoser> (no need to separate, i dont think)
[13:27] <smoser> so this is what i've got right now
[13:27] <smoser>  http://paste.ubuntu.com/895081/
[13:28] <Daviey> smoser: HOSTNAME isn't stable
[13:28] <zul> i dont like the hostname/$year/$month/$day/meesages
[13:28] <Daviey> there needs to be another metric
[13:28] <smoser> why?
[13:28] <Daviey> smoser: it can change too easily..
[13:28] <smoser> so?
[13:28] <smoser> are you trying to be safe against an attack ?
[13:29] <Daviey> smoser: i'd rather it used the UUID :)
[13:29] <Daviey> smoser: no, just consistent logging locations for each node
[13:29] <Daviey> sorry for being sparse, OTP
[13:30] <smoser> http://www.rsyslog.com/doc/property_replacer.html
[13:30] <smoser> thats what we can use
[13:30] <smoser> without modifying the syslog support in the installer to read a kernel parameter that is passed (UUID)
[13:31] <smoser> maybe fromhost-ip ?
[13:34] <Daviey> smoser: UUID is certainly more interesting.. but right.. do what you think is best :)
[13:34] <smoser> uuid is also a helluva lot more difficult to find
[13:35] <smoser> oh look, host 972035b7-f428-4127-8f0c-582d948c6a79 logged a message
[13:35] <smoser> let me go to that host
[13:37] <lynxman> smoser: around!
[13:37] <smoser> well, see my pastebin above.
[13:38] <smoser> do you think that is a sane rsyslog config ?
[13:38] <lynxman> smoser: yeah, rsyslog according to the MaaS design (let me know if somehting has changed) should only be installer logs
[13:38] <lynxman> Daviey: we're still set on that right?
[13:38] <Daviey> yes please, for now.
[13:38] <smoser> lynxman, that is correct.
[13:39] <lynxman> smoser: it looks like a sane rsyslog conf
[13:39] <lynxman> smoser: although messages will filter, you still need something else
[13:39] <smoser> k.
[13:39] <smoser> curious
[13:39] <lynxman> smoser: *looks around*
[13:39] <smoser> why are there 2 ?
[13:40] <smoser> why did orchesta logging server have 2 configs
[13:40] <Daviey> install time, and long term.
[13:40] <Daviey> ?
[13:41] <lynxman> smoser: it has one per client and one to the server, we didn't fully cover install time
[13:41] <lynxman> smoser, Daviey: We just need to know the install time channel and divide that into local and not local, then filter it from the rest, should do
[13:43] <lynxman> smoser: otherwise any message to let's say user.* will go both to local and remote file locatios, the filter is not exclusive and needs to be explicitly filtered out
[13:43] <lynxman> smoser: I'll be around in case I can be of help :)
[13:43] <smoser> lynxman, right now, boot logs go both places
[13:43] <smoser> in orchestra
[13:43] <smoser> they go to syslog and to the remote
[13:43] <smoser> were you saying that was not intended ?
[13:43] <smoser> anyone want to test something for me and maybe open a bug ?
[13:44] <lynxman> smoser: that was not intended indeed :)
[13:44] <smoser> i am under the impression that virtio net and possibly virtio disk are considerably slower in the guest
[13:44] <smoser> in precise compared to lucid
[13:44] <lynxman> smoser: can do later today, right now I'm heads down doing a juju openstack install
[13:44] <smoser> i would like someone to (with precise host) boot kvm guests of both and prove me wrong or right.
[13:45] <lynxman> smoser: could do :)
[13:45] <lynxman> smoser: as soon as I got this hammered I'll be glad to
[13:45] <smoser> (on canonistack, it seems to me that i can hit almost 50M/s writing to /dev/null in lucid, but only half that or worse  in precise)
[13:46] <smoser> lynxman, http://paste.ubuntu.com/895099/
[13:46] <smoser> that is how you stop messages from going to the default location
[13:48] <smb> hallyn, So it seems bug 929626 which I thought was virt-manager might actually be a libvirt issue. mdeslaur found a rh bugilla with a good lead: https://bugzilla.redhat.com/show_bug.cgi?id=746007
[13:50] <smb> hallyn, Would you know better which area needs inspection when an acquired object seems not to get certain updates?
[13:56] <lynxman> smoser: I know, the difference is that you have messages coming from the same syslog channels, so you need to define both remote and local and then filter out :)
[13:57] <smoser> lynxman, so you're syaing that the same does not work ?
[13:58] <smoser> i just assumed i could put the & ~ after the last matching condition
[13:58] <smoser> and it would drop it
[13:58] <smoser> basically i though "& ~" meant "drop this message if the last condition was true"
[13:58] <smoser> so...
[13:58] <smoser>  http://paste.ubuntu.com/895109/
[14:00] <lynxman> smoser: as far as I know you're dropping the channel, although that is a filtering rule...
[14:01] <lynxman> smoser: let's try that and see how it goes :)
[14:24] <jamespage> ttx: around - have a question about milestone-proposed branches for https://github.com/openstack/*
[14:24] <ttx> jamespage: yes
[14:24] <jamespage> ttx: coolio
[14:25] <jamespage> ttx: so we have had a few issues in the Ubuntu OpenStack CI lab with FOLSOM opening for dev - most of which we have resolved by switching to the milestone-proposed branch
[14:26] <jamespage> I just wanted to understand what the Openstack approach to master/milestone-proposed branches was between now and release so I can update the test configurations correctly
[14:26] <ttx> So the RCs will be generated in the milestone-proposed branches
[14:26] <ttx> at release time we'll cut stable/essex branches
[14:26] <ttx> and hand them to stable maintenance team
[14:27] <jamespage> ttx: OK - that was what I expect to happen.
[14:27] <ttx> the trick is everyone is not using mliestone-proposed branches yet
[14:27] <ttx> since keystone is not RC1 yet
[14:27] <jamespage> ttx: so I noticed
[14:27] <ttx> so you should actually use "milestone-proposed and master if not"
[14:27] <jamespage> ttx: OK - thats what we have been doing
[14:28] <ttx> I hope keystone will be RC1 today
[14:28] <jamespage> ttx: https://github.com/openstack/python-novaclient/branches is giving us a few issues as folsom has opened but no milestone-proposed?
[14:28] <jamespage> does this apply to core projects only or all projects?
[14:29] <ttx> hmmm
[14:29] <ttx> there should be one
[14:30] <ttx> https://github.com/openstack/python-novaclient/tree/milestone-proposed
[14:30] <ttx> and there is ^
[14:30] <ttx> it wasn't committed to, though
[14:30] <ttx> since novaclient didn't need Final=True pushed to it
[14:30] <ttx> so maybe it didn't trigger on your side
[14:32] <jamespage> ttx: hmm - showing my lack of git knowledge now - thanks for pointing that out
[14:35] <jamespage> ttx: OK - think I'm all set now -thanks for the advice (see you in a couple of weeks!)
[14:36] <ttx> np, see ya
[14:38] <MRCracker2> hi all, my ssh speed is too low how i can speed it up?
[14:53] <MRCracker2> not any idea?
[15:23] <Matrix3000> need help, this nfs mount in my fstab is causing boot to hang
[15:23] <Matrix3000> how can i make it timeout the nfs mount and continue booting in like 20 seconds
[15:23] <Matrix3000> or something instead of it just perm hanging
[15:24] <ikonia> why not make it an auto mount map
[15:24] <ikonia> why is it hanging ? why can't it mount at boot time ?
[15:24] <Matrix3000> cause, its offline right now
[15:24] <Matrix3000> lol
[15:25] <Matrix3000> it's an nfs mount that is under maintenance at the moment and it's not an essential mount
[15:25] <Matrix3000> just gives us some extra files
[15:25] <ikonia> stick an automount map in
[15:25] <Matrix3000> let me look that up
[15:25] <Matrix3000> cause i don't know where automap is
[15:26] <ikonia> have a dig on "NFS automount map"
[15:26] <ikonia> you'll get some idea of how to do it,
[15:26] <ikonia> if you get stuck ask
[15:32] <Matrix3000> but you are saying using autofs will prevent a boot hang when the system cant connect to the nfs mount?
[15:32] <Matrix3000> nfs share I mean
[15:33] <ikonia> Matrix3000: yes, as it doesn't mount it untilt it's called eg: something needs/wants it
[15:33] <Matrix3000> ok
[15:33] <Kiall> ikonia, cant you just add the "nobootwait" flag to the fstab line?
[15:34] <Kiall> ikonia / Matrix3000: http://askubuntu.com/questions/120/how-do-i-avoid-the-s-to-skip-message-on-boot
[15:35] <Matrix3000> that actually looks like an easier sollution as apache does use files on that mount
[15:35] <Matrix3000> for one of the sites
[15:35] <Matrix3000> but that site is down right now as expected
[15:38] <ikonia> Kiall: that would work too, good call
[15:42] <Kiall> ikonia, Yea, when you use EC2, you learn about that option pretty quick ;)
[15:42] <Kiall> There's no console to press the 'S' for Skip etc
[15:43] <ikonia> it's a good suggestion, didn't think of it at all
[15:45] <Matrix3000> lol
[15:45] <Matrix3000> that would be terrible
[15:45] <Matrix3000> that's why i am not fan of ec2
[15:45] <Matrix3000> but, EC2 is affordable and works for the most part
[15:46] <Matrix3000> wish it was like vCloud
[16:11] <tolland> any idea why this request to httpd is waiting 20 secs to return;
[16:11] <tolland> http://pastebin.com/N3xq8SWg
[16:11] <tolland> (cross posted sorry, ignore the other one)
[16:11] <Decepticon> hi people
[16:11] <Decepticon> good day
[16:12] <Decepticon> I have ubuntu serve of 10.04 but i have problem with my sqladmin
[16:12] <Decepticon> this is error: #2003 Cannot log in to the MySQL server
[16:12] <Decepticon> but i have user and password fine!
[16:13] <Decepticon> please help me please!!!...
[16:14] <Decepticon> hi people!
[16:18] <tolland> Decepticon: i would start by resetting the user/pass http://is.gd/7kL2vj
[16:19] <Decepticon> tolland: ok! i´m check this
[16:19] <Decepticon> thanks
[16:19] <tolland> you can use the show grants command once you have either reset the admin user, or dropped grants
[16:20] <tolland> to see what the server thinks of your user/pass
[16:20] <Decepticon> tolland:  you are the maximun
[16:20] <Decepticon> thanks thanks
[16:20] <Decepticon> wueeeeeeeeeeeeeeeeeeeeeeeeeeeeee
[16:20] <Decepticon> thank you brother
[16:20] <Decepticon> jejejee ,)
[16:21] <Decepticon> i´m configure a server ubuntu 10.04 for my job
[16:21] <Decepticon> thanks
[16:23] <tolland> Decepticon: there is also a pretty good #mysql channel which might be more appropriate for service specific questions... there is a lot of mysql server admin types there
[16:26] <brendand> are there any known issues with running apport-collect on ubuntu-server?
[16:27] <Decepticon> tuxbin:  thanks of, only mysql
[16:50] <tjaalton> hallyn: hey, there's a new xserver-xorg-video-qxl on debian, do you think it would make sense to have in precise?
[16:50] <tjaalton> 0.0.17
[16:52] <adam_g> zul: jamespage Daviey so keystone's test suite is not going to pass unless we patch swift and carry additional patches to test suites that use it, AFAICS
[16:52] <jamespage> adam_g, grrr
[16:53] <zul> the swift /dev/log stuff?
[16:53] <adam_g> or, alternatively, we can try to disable the swift related keystone tests, which look more like integration tests than unit tests
[16:53] <adam_g> zul: yeah
[16:53] <zul> adam_g:  im in favor of disabling those tests
[16:53] <adam_g> we probably would have come across this a while ago if swift's tests were enabled
[16:55] <adam_g> zul: im sure we all are, but what about the requirements of the MIR?
[16:55] <zul> adam_g: well we can add it to the ubuntu-qa testsuite probably
[16:55] <zul> jdstrand: ^^^
[16:58] <adam_g> zul: well, we are running the entire test suite (swift stuff included) already when we package
[16:58] <adam_g> i was able to get those to actually pass on our builds yesterday
[16:59] <zul> adam_g: right i mean disabling the tests in the build and add the tests to the ubuntu-qa testsuite
[17:00] <zul> adam_g: getting swift and keystone working in a buildd is not pratical imho
[17:00] <hallyn> tjaalton: that might fix an open bug, sounds good.  i'm out today though
[17:08] <jdstrand> zul: which mir are you referring to?
[17:08] <zul> jdstrand: keystone
[17:08] <jdstrand> zul: what about it?
[17:09] <jdstrand> I did the mir and it has a conditional ack
[17:09] <jdstrand> see 'Requirements for main inclusion' in https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/881464/comments/15
[17:10] <zul> jdstrand: the testsuite does alot of integration tests for keystone, which is good, however the testsuite uses git to fetch swift and sets it up for you, however running testsuite in keystone during the buildd to make it past is not pratical
[17:10] <zul> s/past/pass/g
[17:10] <jdstrand> zul: can you comment on that in the bug?
[17:10] <zul> jdstrand: of course
[17:11] <jdstrand> zul: so the 139 of the 266 test cases are all a result of swift?
[17:11] <jdstrand> that is more than half
[17:12] <zul> jdstrand: no the keystoneclient tests have been disabled as well becuase of the git usage as well
[17:13] <jdstrand> zul: what is it pulling in? why can't the tests be updated to point at packages that are in ubuntu rather than fetching via git?
[17:13] <jdstrand> zul: the testsuite is basically invalid otherwise because git will move to bigger and better things but the keystone testsuite will stay static in the archive
[17:13] <zul> jdstrand: we tried patching it upstream but they have rejected it
[17:14] <zul> jdstrand: agreed
[17:14] <jdstrand> zul: right, but can we carry an ubuntu delta? we only really care that the testsuite for a specific version in ubuntu works with a specific version of other packages in ubuntu
[17:15] <zul> jdstrand: yeah we can carry the delta
[17:15] <tjaalton> hallyn: ok, maybe I'll skip the sync and wait for you to test it first :)
[17:17] <jdstrand> zul: if the tests are worthless, then we can drop it. however, they seem to be worthwhile
[17:18] <jdstrand> zul: please comment in the bug and I will respond with alternatives
[17:18] <zul> jdstrand: ack
[17:18] <jdstrand> zul: thanks for bringing it up
[17:18] <zul> jdstrand: thanks for discussing it
[17:20] <hallyn> tjaalton: sounds good.  pls email or ping me tomorrow?
[17:21] <tjaalton> hallyn: sure
[17:47] <zul> lovely..
[17:47] <zul> Daviey/adam_g: looks like swift likes to use eventlet-0.9.15
[17:57] <Daviey> zul: Golly.. can you investigate ?
[17:58] <zul> Daviey: looking
[18:09] <smoser> lynxman, so i think i know why logging goes to syslog
[18:12] <smoser> it already goes there before your ocnfig can stop it
[18:12] <smoser> as your config runs after 50
[18:12] <smoser> (50-default.conf)
[18:49] <zul> Daviey: i just run the swift excercises from devstack i dont see anything wrong from the tests, im waiting for more info about that bug
[18:56] <adam_g> zul: on precise?
[18:56] <zul> adam_g: yes
[18:57] <adam_g> zul: what about the swift-bench utility that was run to produce the bug?
[18:57] <zul> adam_g: they havent provided any more info on how to reproduce it
[18:59] <Daviey> zul: ugreat!
[19:00] <adam_g> zul: i think you should have everything you need to run swift-bench in openrc
[19:01] <zul> adam_g: you sure?
[19:01] <adam_g> zul: not certain, but swift-bench -h shows a config file that needs only the keystone endpoint and credentials
[19:01] <adam_g> er, s/keystone/swift
[19:20] <zul> adam_g: got it working havent been able to reproduce it so it might be smething with the guy's config
[22:05] <eb_> I'm trying Orchestra and Juju but with juju bootsrap
[22:06] <eb_> I'm trying Orchestra and Juju but juju bootstrap return an error
[22:07] <eb_> The error is "error: Environments configuration error: /home/localadmin/.juju/environments.yaml: environments.orchestra.acquired-mgmt-class: required value not found"
[22:23] <Daviey> SpamapS: Plans to backport apache 2.4.1 to precise-backports?
[22:23] <SpamapS> Daviey: would love to!
[22:24] <Daviey> SpamapS: gonna happen? :)
[22:24] <Daviey> SpamapS: Didn't you have one knocking around in a PPA?
[22:24] <SpamapS> No
[22:25] <SpamapS> I'm not sure its worth it
[22:25] <SpamapS> 2.2 .. 2.4 .. its still just apache
[22:28] <meerkats> where did the offtopic room go?
[22:29] <Daviey> SpamapS: How is PHP looking?
[22:30] <SpamapS> Daviey: about to start driving nails into 5.4's coffin
[22:30] <ajmitch> still no suhosin patch on the horizon?
[22:31] <SpamapS> nope
[22:36] <adam_g> Daviey: IN: glance, quantum, swift (assuming 1.4.7), horizon. NOT IN: keystone (rc not released yet), nova (in queue), melange
[22:38] <Daviey> adam_g: okay!  thanks for the update.. do we have an ETA on keystone upstream RC?
[22:38] <adam_g> Daviey: i think theres just one bug still in progress with a review in gerrit
[22:39] <Daviey> adam_g: great!
[22:59] <arosales> adam_g: for the blueprint Implementation status for https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-openstack-testing seems it should at least be marked at least with "Good Progress" your thoughts?
[23:00] <adam_g> arosales: oh, ya.  the only TODO will hopefully be DONE after ODS.
[23:01] <adam_g> arosales: the INPROGRESS regarding the stress tests is  misleading now, i guess. ive been working with the upstream on getting a new stress test suite working nicely and implementing it on our openstack CI
[23:02] <arosales> adam_g: "deployment" might also be fitting then.
[23:02] <adam_g> arosales: not so much a porting effort anymore. should i postpone/defer or just change the wording?
[23:03] <arosales> adam_g: If you still will get to it this cycle you can leave the remaining to do as is, perhaps just update the "Implementation" status to something other than "Unknown"
[23:04] <adam_g> arosales: will do, for sure
[23:04] <arosales> adam_g: thanks
[23:07] <adam_g> arosales: https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-openstack-charms  this one needs a bit more TLC, but honestly im not sure how much of those TODOs will be done this cycle.  note that none are really tied to the release schedule
[23:07] <arosales> adam_g: tough to work on the charms with the packages being in such flux
[23:08] <arosales> we'll revisit all the "postponed" work items for the next cycle too, so those items don't get forgotten
[23:09] <arosales> adam_g: If your pretty sure they are not going to happen this cycle then might as well postpone, kind of odd since they are not tied to the release
[23:11] <arosales> we can pick them up next cycle, at least for work item tracking ;-)
[23:18] <fluvvell> are people generally more in favour of virtual machines using vmware, or kvm. ( it will be a windows vm)
[23:18] <adam_g> arosales: ok cool. yeah, they're really wishlist features for current juju charms, which can be added anytime really
[23:25] <arosales> adam_g: thank for the updates
[23:34] <_johnny> hi, i'm trying to upgrade from 10.04 to 10.10. network and cd (alternate) both give me the following halt: The package 'update-manager-core' is marked for removal but it is in the removal blacklist.
[23:34] <_johnny> any ideas as to what i'm doing wrong?
[23:48] <tarvid> !iptables
[23:49] <pukeko> howdy
[23:50] <tarvid> https://help.ubuntu.com/community/IptablesHowTo#Logging is short about logging explicitly dropped packets
[23:50] <tarvid> can I add a "log" option to a rule?
[23:53] <pukeko> tarvid: setup a new rule and if the packets met certain requirments jump to that rule and log
[23:54] <tarvid> thanks pukeko , I've been under attack for weeks
[23:54] <tarvid> finally came with a firewall that works
[23:54] <tarvid> just curious who the culprits are
[23:55] <pukeko> hey.. i need to "sync" two samba servers one is offline but needs to be available if the other one dies..
[23:56] <pukeko> what else do i need to sync apart from /etc/group /etc/passwd /etc/samba /var/lib/samba ?
[23:56] <pukeko> * and the data of course
[23:58] <pukeko> tarvid: i used to do it via the interfaces.. if it came in / or out of and matched - then jump to a ruleset
[23:58] <tarvid> basically I just want to drop the sh*t
[23:59] <pukeko> but that could get a bit hard on the brain - when monitoring both out going and incomming over 3 or more interfaces
[23:59] <tarvid> only two
[23:59] <tarvid> someone or someones were sucking me dry