/srv/irclogs.ubuntu.com/2012/07/05/#ubuntu-server.txt

chaos_zerohello i have a server emergency (lol njot actually that seriour for the world, but serious for me)01:03
chaos_zeroi was trying to clean up all these ip rules i made that did not work so i used the flush command and now the network does not work correctly or do anything even after a server reboot01:04
chaos_zerocan i restore to like it was before the flush01:04
qman__chaos_zero, if you flushed the rules you also need to set an accept input and output policy01:42
qman__sudo iptables -P INPUT ACCEPT; sudo iptables -P OUTPUT ACCEPT01:43
MoleManCan anyone think of any reasons SSH keys may not work for a specific user? the authorized_keys file is identical to that used and working for two other users (bar owner and group obviously)01:43
qman__permissions01:43
MoleMan664, same for all 3 users which have SSH keys set...01:43
qman__~/.ssh must be 700, ~/.ssh/authorized keys must be 60001:43
qman__well, it's supposed to be anyway01:44
MoleMan#644 not 664. okay, I can change them, but too high permssisions shouldn't matter? and is working for two other users like that so :/01:44
qman__sshd cares about that01:45
qman__if your keys aren't secured it won't work01:45
MoleManbut why would it work for two users, but not a third?01:45
qman__especially ~/.ssh and your private key01:45
* MoleMan is fixing anyway01:46
MoleManI don't actually have any keys set on the server, only authorised keys, and am using PuTTY from windows...01:46
qman__could be the user's shell01:47
qman__is it a valid shell?01:47
MoleManI believe is bash, same as the others, and I can login and interact properly if I manually enter password...01:48
qman__ok01:48
MoleManhave just fixed the permissions, about to try again01:48
MoleMan-_- it worked...01:48
MoleManmust have been the directory permissions... I think they were different...01:49
MoleManthanks :)01:49
qman__yeah, that one's not so obvious if you haven't seen it before01:49
qman__the other issues have better indicators01:49
MoleManI know I'm probably about to get told that it's bad practice to actually have the www-data account with a password and changed shell and in a usable condition etc blah blah blah01:52
MoleManbut how could I give the www-data full access to run 'service apache2 reload' without errors?01:53
MoleManbecause the service should start using permissions as www-data, but it still requires root/sudo to be able to start/stop/reload it without errors?01:54
qman__add a sudoers rule to specifically allow www-data to do only that01:54
qman__but yes, that's still an incredibly bad idea01:54
qman__at the very least, set up the keys and remove the password01:55
qman__and make sure you use absolute paths for the commands01:56
MoleManbearing in mind it isn't a production server, is just a random server hosting a few unused sites etc in the other room, what are the main issues with doing so? (I know its a bad idea, I just never looked properly into why) I mainly added the password for FTP access because I was getting annoyed by permissions...01:56
qman__that's an even worse reason for doing so01:56
qman__just create a new user, add them to the www-data group, done01:56
qman__www-data shouldn't actually own anything it doesn't absolutely have to anyway01:57
qman__your website files should be owned by root or the user who maintains them01:57
qman__www-data should merely have read access through world permissions01:57
qman__the main problem is that websites are not just static pages anymore01:58
qman__and scripts, especially php scripts, are vulnerable to attack01:58
qman__and your scripts run as www-data01:58
qman__so www-data should not be able to do anything destrucgive01:58
qman__destructive*01:58
MoleManbut it has to be able to write to files for certain php files to work and do what theyre meant to...  and it has to own/be able to access its on config surely?01:59
qman__no01:59
qman__if you're allowing writing, it should be strictly limited02:00
qman__to a single directory or file02:00
qman__and it should be able to read its config through world-read, like most everything else02:00
qman__the www-data user is not trustworthy and should be treated as such02:00
MoleManhmmm, I will take what has been said on-board :) and will act upon it at some point...02:01
MoleManI think both my PC and server are due a rebuild sometime soon anyway02:01
qman__while you're at it, you shouldn't use FTP either02:02
qman__SFTP is in all ways superior02:02
MoleManif so, why does FTP appear to be the more commonly used standard? or is that either my misconception, or it spreading across from windows servers?02:03
qman__ignorance, mostly02:04
qman__http://mywiki.wooledge.org/FtpMustDie02:04
qman__if you want some more substantial reasoning02:04
MoleManyet large webhosts etc surely have no excuse for ignorance, yet give their users FTP not SFTP? or is that more because SFTP uses actual user accounts, where FTP can be configured alternatively?02:05
qman__no, just ignorance and laziness02:05
qman__it's rampant02:05
MoleMan(if I'm coming across as argumentative its not the intention, this is just the style I discuss things in to understand better)02:05
MoleManjust thought I'd throw that out there, as people have had problems with my attitude before when I'm just trying to discuss and understand/learn :)02:06
qman__especially if you're using SSH already, there's no reason not to use SFTP02:06
qman__you already have it, your users are already configured02:06
qman__and restricting users to SFTP and not SSH is easier than ever since about a year and a half ago02:07
qman__there's a built in sftp-only feature02:07
qman__and chrootdirectory02:07
qman__and there's winscp and filezilla for windows users02:07
MoleManI know FileZilla supprts SFTP as a client, my comment about windows was more to whether it is possible to host a SFTP server on windows?02:08
qman__yes, with filezilla server02:09
qman__there are other programs too02:09
qman__I don't think microsoft has an SFTP server in IIS yet02:09
qman__but enabling FTP in it requires significant hoop-jumping too02:10
qman__about the only thing FTP has that SFTP doesn't is anonymous file uploads/downloads, but that's easily accomplished with HTTP and a simple website, and is usually a bad idea anyway02:12
qman__and you could always create a public user account too02:12
MoleManyeah, I agree its a bad idea, and surely can be achieved by creating an account 'anonymous' witha blank/obvious password anyway02:13
MoleManbeat me to it :P02:13
MoleManconsidering anonymous FTP actually theoretically uses your email adress doesn't it? or something like that... I can't remember02:13
ScottKhttp://mywiki.wooledge.org/FtpMustDie02:14
MoleManScottK: yeah qman__ had already linked and I am reading, had just popped back to comment that I like the blunt terminology of 'your wiki page about FTP protocol being shit'02:18
ScottKThere's really no excuse for ftp anymore.02:19
MoleManawkward moment when I can't even see what FTP server I have installed to remove... I thought it was SFTPD or something, but apparently that isn't there...02:22
MoleMancan't even remember what I was doing anymir02:24
MoleManmore#02:24
qman__so, is there any way to find out where my server is hanging when there's no screen output and no logs written?02:40
qman__I know it gets past fsck, because I've seen it doing the disk activity checking the disks02:40
qman__and the interface is up and pings, but that's it02:41
qman__I get a blank screen with a blinking cursor 2/3 the way down02:41
qman__and I'm already booting without quiet splash and with nomodeset noplymouth02:42
john206Hi guys, can anyone help me out with ks.cfg file?03:14
john206anyone? :)03:15
john206out of 100 people here not even one volunteer cool :)03:17
=== blkperl_ is now known as blkperl
AlfafaHi anyone have problems with maildrop making temporary failures since yesterday? (I thought it could be updated packages. But only gnutls related packages + cron was updated - and I don't see the maildrop binary linked to gnutls libraries)06:42
AlfafaIt seems there is some how a problem. When I now run maildrop -d <user> I just get  a message like this: ERR: authdaemon: s_connect() failed: No such file or directory06:53
AlfafaThe only packages upgrade between working and nonworking is: libgnutls-openssl27:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), libgnutls26:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), libgnutls26:i386 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), libgnutlsxx27:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), cron:amd64 (3.0pl1-120ubuntu3, 3.0pl1-120ubuntu4), libgnutls-dev:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1)06:53
AlfafaI haven't had the authdaemon installed because I don't use it, but maybe maildrop tries to connect to it via gnutls and something in gnutls is changed/fails ?06:54
moothecowHi, I'm a bit confused. Since when does cache make it into swap? Either that, or top is hopelessly incorrect.06:59
moothecowWe run online backup software on it in java, there's 2 java processes, according to top they use 38.3 and 8.4% of the memory (4GB). Yes, there's 3.8G used (of which 1.6 buffers) and 2.7G swap in use (adding all mem percentages in top comes only around 50% of memory)07:01
Alfafamoothecow: Didn't see your original question. Is the problem that the processes is spinning cpu?07:18
moothecowno the problem is there's memory in use that I can't related to a process07:19
moothecowhave stopped the backup software now, according to free there's still about 3G memory used. Swap is nearly empty now (only 71MB)07:19
moothecowsorting by memory in top (M) lists 3 processes with 0.1% mem, the rest is at 0.0...07:19
=== smb` is now known as smb
moothecowso there appears to be 3G in use by air or something like that :)07:20
_rubenmoothecow: if you find a way to track back that kind of memusage to something useful, let me know ;)07:20
_rubenhave had similar challenges in the past as well :)07:20
moothecowMust be a memory leak or something... find it quite amazing anyways, there's a community grid client on it07:21
moothecowoh world community grid, that's it... but according to top that's hardly using memory, it seems to have died cause it should use a lot of cpu :D but it's idle07:21
_rubenit decided to "use" mem instead of cpu apparently07:22
moothecowperhaps, but stats don't reflect that :/07:22
_rubeni (also) don't understand how the system could claim memory as being used, but not "know" what's using it, apparently07:22
moothecow_ruben: can buffers end up in swap? afaik they shouldn't07:22
_rubenthat'd be really strange07:23
_rubenthe whole idea about cache and buffers to make things faster, not slower ;)07:23
moothecowyea but it runs iet(d) (iscsi enterprise target) in fileio mode07:23
blinkizHi. I need examples how to get prefix delegation to work from a dhcp v6 server. Am talking http://tools.ietf.org/html/rfc363307:24
_rubeneew ... ietd07:24
moothecownever quite understood which is faster anyways fileio seems to do much more caching07:24
moothecowyea looking at switching to lio07:24
moothecowunfortunately, they have removed vaai from the roadmap... seems to be implemented but only on the paid version07:24
_rubenmight research lio someday, using scst currently07:24
moothecowlio has error corrections etc. (iet doesn't - not sure on scst I really like the design (never used it tho') but it was never allowed into the kernel)07:25
moothecowthey include lio instead... think scst would have added some stuff for the general scsi stack as well so that's unfortunate07:25
_rubenscst builds fine through dkms, for optimal performance you'd need to apply some small kernel patches tho, which i dont bother with07:26
moothecowlio on the other hand had vaai on the roadmap for the free version at some point (but it's gone and can't find any mention of it other than on the commercial version)07:26
moothecowso that kinda had me excited for nothing :D07:27
moothecowlio and scst should perform similar iirc07:27
_rubenthere's been quite some discussions on the scst mailinglist about getting it mainlined, the scst devs had the feeling they weren't treated in a fair manner, and lio just getting shoe-horned in instead07:29
moothecowI read the kernel posts on that07:30
moothecowapparently he insisted on using /proc, all they wanted was him to use the new standards (sysfs, etc.) lio uses configfs (actually getting quite fed up by all the new fs's, how many do we need... there used to be just /proc :D)07:31
_rubenit crossed a shitload of mailinglists ;)07:31
_rubenscst has moved to sysfs quite some time ago (mostly due to that discussion)07:31
_rubenprocfs is still left for backwards compat and stuff07:32
_ruben(compiletime option)07:32
moothecowhmm but now that they choose lio they won't move soon I presume... :/ scst offers a lot of advantages for the entire scsi stack tho'07:32
moothecoware you aware of any distro's using it by default?07:32
_rubenthere's tons of freenas and likes that ship it i think, never really looked into any of those07:33
moothecow_ruben: freenas is freebsd :)07:34
moothecowunfortunately oracle closed zfs before implementing encryption, it's the only feature I miss that's been released since then. Never got why they didn't port it, btrfs is nowhere near zfs capabilities07:36
moothecowusually resort to freenas for zfs tho'07:36
_rubenmoothecow: yeah, didnt mean the freenas project specifically, but more like a global name for all those storage appliances out there07:40
moothecowI saw a product named comstar or something like that once, I suspect they use it too. It creates virtual tape drives over iscsi. You inject 'tapes' into it (just image files from that I can tell) and you can actually just write those image files to tape again. Never quite got why people want backup2disk like that (with virtual tape emulation et all) but the idea was nice07:42
_rubenisn't comstar solaris' iscsi stack?07:44
moothecoweh my brain needs to wake up ... perhaps they share names07:45
RoyK_ruben: iscsi target, not initiator (afaik)07:45
_rubenCOMSTAR – an enterprise SCSI target system supporting iSCSI/iSER/FC/FCOE07:45
_rubenas listed on openindiana site07:45
RoyKyes... target07:46
_rubeni'd look into openindiana for a our storage clusters, if only i could be arsed to learn a new os :P07:46
RoyK_ruben: but iirc COMSTAR isn't in use for s10, and maybe not for s1107:46
_rubenRoyK: woulnd't know, never used any of it ;)07:47
RoyKseems comstar is there in s11 http://docs.oracle.com/cd/E23824_01/html/E24456/storage-7.html07:47
moothecowHmm that much different from opensolaris?07:47
moothecowillumos is a fork of opensolaris by nexentastor iirc07:47
_rubennexentastor has been on my radar as well07:47
RoyKmoothecow: not really, nexenta is part of the illumos project, but they never started it07:48
RoyKmoothecow: it all started with a fork from opensolaris to openindiana, then illumos was separated to take care of OS/Net (kernel + vital userspace stuff)07:48
RoyKmoothecow: now openindiana is lacking developers to continue support of the rather large amount of packages available, and SmartOS or OmniOS may be better choices for future installations07:50
RoyK(according to Alasdair Lunden, the original OI founder)07:51
=== matsubara-afk is now known as matsubara
efpehi08:18
moothecowRoyK: thx for the info :)08:19
moothecowstill hoping oracle will release ZFS... but I'm not going to hold my breath on it :D. It would immediately fulfill their desire for an enterprise FS on linux tho'08:20
efpei have a problem with booting a half-hardy/half-karmic system08:20
moothecowefpe: err half?08:20
efpeit there a change somebody can help me?08:20
efpemoothecow: yes :/08:20
efpeour old sysops made this :P08:20
moothecowdo-release-upgrade f* up?08:20
efpehttp://www.efpe.hu/ubi/08:20
efpemoothecow: that will be the next step.. but i have to boot the system :P08:21
efpemountall hangs after "fhs mounted"08:21
moothecowcan't do much with the screenshot, see processes exiting but the reason why is probably ^08:21
efpei can get a shell with sulogin (or init=/bin/bash) and i'm able to remount the filesystem with rw08:22
efpewhen i run mountall (without initctl), it returns with 008:23
moothecowdid it used to boot fine?08:23
moothecowI'm a lazy bofh... I'd just boot with a livecd, chroot into the install and have it do do-release-upgrade :P08:23
moothecowmight want to backup the import stuff first08:23
efpegreat question.. this server had 5-600 days uptime08:23
efpemoothecow: yep, this will be the next step but i thought somebody maybe can help...08:24
efpei'm not an expert of the event based booting..08:24
efpethe interesting part is that the init is able to mount the swraid08:25
efpeas you can see here: http://www.efpe.hu/ubi/boot/08:26
moothecowefpe: yea found those... the 'mountall goal changed from start to stop' looks interesting too08:26
moothecowsearching that line gives a couple of launchpad links, you might want to delve into those08:28
efpeoh, okay, thanks :)08:29
efpei found interesting the "mountall state change from post-stop to waiting"08:29
moothecowefpe: http://wiki.prgmr.com/mediawiki/index.php/Upstart_troubleshooting08:33
moothecowhe added --verbose in grub, mount process dies there too because of missing locale08:33
efpehmm, the screenshots contains the --verbose and --debug options too :P08:34
efpebut this link looks like interesting08:34
moothecowyea but your mount process unfortunately doesn't say why it dies (it even says exited *normally* :D)08:35
efpeyep that's the interesting part...08:35
efpebtw my locale looks okay :(08:36
moothecowi'd still just upgrade it :P08:36
moothecowrunning half/half might be the issue08:36
efpeyes :(08:36
efpebut i'm afraid i have to find a solution :(08:36
moothecowsome old version of a process might just return something a new version of a script doesn't expect or something like that08:37
efpethis a the nfsroot/tftpd/etc server in our network08:37
efpeand it has a second node which runs for now..08:37
efpei'm afraid when the upgrade will be done, something will go wrong08:37
efpemoothecow: i think you are right :(08:37
moothecowmaybe but it's easy to backup linux machines :)08:40
=== Aaton_off is now known as Aaton
moothecowand it's probably better troubleshooting an issue that needs to be handled than one that might just magically disappear with an upgrade08:40
efpemoothecow: :D08:41
=== Aaton is now known as Aaton_off
efpehmm08:42
efpehttp://www.efpe.hu/ubi/waiting.png08:42
efpeanother interesting thing...08:42
moothecowisn't /tmp in tmpfs?08:45
Davieyjamespage: Which packages are you thinking of?08:48
jamespageDaviey, restlet and simple-http08:49
Davieyjamespage: I'm gonna reject them.08:49
jamespageDaviey, thanks :-)08:49
jamespageDaviey, they are deps for the floodlight openflow controller work08:50
Davieyjamespage: ok08:50
efpemoothecow: there's no /tmp in /etc/fstab08:51
moothecowhmm one wonders why it wants to mount it then, but not familiar enough with ubuntu's init scripts08:51
efpeme neither :(08:52
efpeanother thing is i can get a console with sulogin08:53
efpemount says it's readwrite, but it's readonly08:53
efpemoothecow: is it possible to use standard booting mechanism like sysv?08:55
moothecowI dunno, I just run ubuntu on some servers. In theory you can make it run sysv obviously, question is if ubuntu has support for it or if it means you'll have to write the entire init scripts yourself (and more importantly, maintain them)08:56
efpemoothecow: you're right08:59
moothecowkinda like you can run half/half in theory too, but nobody is going to support it ;)08:59
efpe:D:D08:59
Davieyjamespage: is restlet really released under all of these, Apache-2.0 or CDDL or EPL-1.0 or LGPL-2 or LGPL-2.1 ?09:01
moothecowis the machine complex? You could just exclude your nfs export dirs from backup and thus backup the import dirs like /etc, /lib, /usr, /opt, /var, etc., boot livecd, chroot into the system (make sure proc, sys, etc. are mount -o bind to chroot) and try upgrading, if it doesn't work boot live cd again, wipe the dirs and restore them from tar09:01
Davieyjamespage: wow, http://www.restlet.org/about/legal09:01
jamespageDaviey, apparently so - and the headers are all in place on every file to sate so09:01
jamespageDaviey, yeah - I was surprised as well09:01
jamespageDaviey, the most awkward thing about restlet is how I have to generate the orig.tar.gz09:04
Davieyjamespage: You've left debian/maven.* boilterplate there.. that is convention for maven packages, right?09:04
jamespageDaviey, yeah09:04
jamespageit appears to be09:04
Davieyjamespage: yeah, i was just grokking the get-orig script :)09:04
jamespagethe maven-debian-helper gets confused otherwise09:04
efpemoothecow: i forgot to mention we use drbd :)09:05
jamespageDaviey, its still built from official source artifacts - just ones pulled and verified from the central maven-repo09:05
efpeand the other node is half/half :D09:05
moothecowis there anything important on the machine that isn't on the other node? You might just try reinstalling it, get it connected with drdb etc and make it master then do the same with the other node :)09:06
Davieyjamespage: Yeah, looks good.. I was suprised to see the ^M carriage returns.. :)09:06
jamespageDaviey, thanks v much09:08
jamespageDaviey, lol09:08
jamespageI love working with Java ;-)09:08
efpemoothecow: yeah, i should do that09:09
moothecowI take it you mean the coffee variant of it :P09:09
efpe:D09:09
=== zyga is now known as zyga-afk
=== cpg is now known as cpg|away
=== daker__ is now known as daker_
ivokszul: around?10:23
=== daker__ is now known as daker_
=== matsubara is now known as matsubara-afk
Davieyivoks: zul won't be around for a bit.. can anyone else help?10:54
ivoksDaviey: i was wondering if anyone had success with openstack on arm11:03
=== zyga-afk is now known as zyga
Davieyivoks: YES11:30
Davieyivoks: zul has a patch for libvirt on highbank.11:31
ivoksDaviey: hm... i have problems before libvirt kicks in11:33
ivoksDaviey: i'll talk to him once he's online11:33
Davieyk11:33
Davieyivoks: it's probably debian bug 670680 ?11:35
uvirtbotDebian bug 670680 in src:python-greenlet "armhf sigsegv's on task switch" [Important,Open] http://bugs.debian.org/67068011:35
ivoksDaviey: no, issues are with preparing the disk image for the instance11:36
ivoksDaviey: nbd never gets properly created11:36
ivoksDaviey: i'm interested to see if he had some hacks in that area before i dig into the code11:37
ivoksDaviey: for some reason, nova keeps trying mounting whole disk, instead of partition11:37
Davieyhum, interesting11:38
zulivoks:  whats up?11:48
ivokszul: i was wondering if you had problems with starting instacnces on openstack on arm11:49
ivokszul: in my case, when nova starts preparing the instance image, it fails with error 32 when mounting nbd15 as rootfs11:50
zulivoks: i did...i was able to get as far as starting instances but i had veth problems that need to be fixed on both x86/arm first11:50
ivokszul: but the problem happens much sooner11:50
zulon quantal?11:50
ivoksprecise11:50
zuloh....i was working on quantal11:51
ivokshm... with newer openstack, right11:51
zulright11:51
ivokshmph hmph...11:51
zulyou need a fix for libvirt and greenlet and euca2ools11:51
ivoksi don't get to see libvirt at all :)11:52
ivoksand greenlet i have fixed11:52
ivoksso... this is the failure11:54
ivoksnova-rootwrap mount /dev/nbd14 /var/lib/nova/instances/instance-00000009//rootfs11:54
ivoksthat fails11:54
ivoksbut... i can see problems popping much sooner than that stage11:54
zulhmmmmm...11:54
zulhave you tried using libguestfs instead?11:55
ivoksnope11:55
ivoksi mean11:59
ivokseven this fails:11:59
ivoksresize2fs /var/lib/nova/instances/_base/867af04238fd6763792861f54013e3a41c95d6a1_211:59
ivoksbut this is where it starts:12:00
ivoksqemu-img resize /var/lib/nova/instances/_base/867af04238fd6763792861f54013e3a41c95d6a1_2 21474836412:00
ivoks812:00
ivoksthank you c/p12:00
ivoksqemu-img resize /var/lib/nova/instances/_base/867af04238fd6763792861f54013e3a41c95d6a1_2 214748364812:00
ivoksthis fails with exit code 812:00
ivokscause that over there is not partition, but a disk12:00
ivoksok, if you haven't have this problem, i'll dig into the code to see what's going on12:01
ivokswhat's the libvirt fix you are talking about?12:02
ivokscause, it looks like libvirt creates the image12:04
ivokslunch time... i'll be back in 30 minutes12:05
=== K4k_ is now known as K4k
RoyKmoothecow: ZFS is released under CDDL, regardless of what Oracle is doing, but that doesn't help Linux users, since CDDL and GPL aren't compatible13:09
ScottKRoyK: Unless you can afford lawyers like Google, I don't think it's safe to think a Free license is going to be enough you don't have to worry about what Oracle does.13:11
RoyKScottK: I don't think it's healtyh to have that amounts of paranoia - there are thousands of installations around with Illumos-based OSes, some, like NexentaStor, with commercial support13:12
ScottKGiven what just happened with Java, I think it's reasonable concern for foreseeable risk.  Not everyone will agree, of couse.13:13
ScottK... course.13:13
RoyKif Oracle wanted to sue the storage people using CDDLed ZFS, they would have done it a long time ago13:13
RoyKwhat java thing? there have been several13:14
ScottKUp until not so long ago you might have made the same statement about Java.13:14
ScottKThe lawsuit that they filed and totally just lost against Google.13:14
RoyKwhere Google had used code from Java in Android?13:14
RoyKand thereby broken the license?13:15
ScottKhttp://www.groklaw.net/staticpages/index.php?page=OracleGoogle13:15
ScottKThat case, but the one where they hadn't broken any license.13:15
moothecowRoyK: no it isn't, it's closed since version 2913:15
ScottKOr to the extent code was found it was totally deminimus and clearly not intentional.13:16
RoyKmoothecow: Oracle's ZFS is closed, yes, but Illumos' ZFS has the same stuff, minus encryption13:16
ScottKThe bigger concern is that Oracle discovered the novel theory that APIs are copyrightable.13:16
moothecowRoyK: yes, that's because it stuck at version 28, just like the bsd, zfsonlinux and other implementations13:16
ScottKFortunately the judge said they were wrong.13:16
RoyKmoothecow: and it will be stuck at version 28, because illumos has moved away from that versioning scheme, for very good reasons13:17
ScottKBut it's evidence that just because nothing you know about the law right now makes you think you're at risk, there's no guarantees Oracle won't come up with some new craziness.13:17
moothecowRoyK: then they better ditch the name ZFS too ;)13:17
RoyKScottK: oh - that's pretty bad...13:17
RoyKmoothecow: not really, it was released under CDDL under that name13:17
ScottKYeah.13:17
RoyKwhy are you guys so paranoid? it won't make much difference if they call it IlluFS, it's the same thing13:18
moothecowRoyK: yes, but once implementations start to differ, bad things will happen and so they can no longer use ZFS as the name (in my humble opinion - and Oracle will probably force them at that point)13:18
ScottKAsking for renaming is not unreasonable.13:18
RoyKI can't find that article, but the new versioning scheme will be tag based, allowing different implementations, potensially with different features, to co-exist13:20
RoyKanyway - asking me to rename Illumos ZFS in #ubuntu-server won't help much ;)13:20
moothecowRoyK: great - and who decided that? They have *NO* rights on ZFS whatsoever. - I'm not asking you to do anything ;) just stating that if they change / add features it's not ZFS anymore, Oracle dictates that featureset, as well as the implemenation specifics etc. I'm also not saying anything is wrong with that.13:21
RoyKmoothecow: have you read CDDL?13:21
ScottKBut as RoyK suggests, this isn't the place it'll get sorted out.13:22
xnoxwell ZFS is proprietary now. The last revision under SUN was under CDDL, the later rivisions which add e.g. encryption and other bits have not been released13:32
xnoxso e.g. FreeBSD implementation is stuck at the obsoleting ZFS revision....13:33
RoyKxnox: that only depends on how you see it. the illumos zfs implementation has replaced versioning with feature tags or something, and those changes are likely to be ported to fbsd13:34
RoyKbut then, if you start out with Oracle ZFS being the only true implementation, then of course, illumos' ZFS implementation will be "obsolete", but then, that's only if trying to move a dataset from Oracle Solaris 11 or later13:35
RoyKmeaning move the physical disks around, or try to install illumos on a previous s11 system13:35
xnoxtrue.13:37
xnoxTBH the future looks glum: both ZFS author and Btrfs authors left Oracle.13:37
xnoxso... I wonder if they have FS devs left working on these or not.13:37
uvirtbotNew bug: #960350 in keystone (main) "Cleanup Keystone package descriptions" [Undecided,New] https://launchpad.net/bugs/96035013:41
hallynstgraber: notice you marked the api as done.  what did you still need from me to code for it?  do you plan to stick it into the package soon-ish, or wait for more upstream confirmation?13:52
hallynfor that matter i suppose i can toss it into my github tree to 'formally' ask for review from dlezcano :)13:53
stgraberhallyn: yeah, I marked it as done as it looked liked most of the hard work was done, now it's really just catching up with the C library whenever new features are added, but that's quite easy to do on my side13:53
hallynstgraber: (doing +1 maint at least through next week, so not much time) can you send an email reminding me what you need me to code?13:54
stgraberhallyn: as I mentioned on Friday, there are quite a few functions that I'll need for some tools using the API, so there's still quite a bit of work to do on the C side of the API13:54
stgraberhallyn: ok, I'll send you an e-mail13:54
hallynstgraber: thanks13:54
stgraberhallyn: also, do you have any opinion on allowing shmmin/shmax (or whatever they're spelled these days)13:55
stgraberhallyn: I've noticed quite a few people hitting that problem on the lxc mailing-lists (trying to raise the limit and failing because of apparmor)13:56
hallynstgraber: what do we need to do to help those people?13:57
hallyndo they need a new policy?13:57
hallynwe can try adding a 'lxc.ipc.shmin' config option13:57
stgraberhallyn: I think just allowing write access in apparmor, if these are indeed safe13:58
hallynstgraber: <shrug>  that's more susceptible to DOS of course14:01
hallynthe lxc.conf file is owned by host owner, whereas if we allow the container to write to the sysctl files, we're trusting the container owner14:02
hallynbut oh well, priorities :)14:02
hallynstgraber: so we should start considering how to ship helpful bits of policy14:02
hallynstgraber: i wonder if we can use various abstractions/lxc/* bits that can be combined in per-container policies14:03
hallyn/etc/apparmor.d/abstractions/lxc/{nested,ipcshm,...}14:04
stgraberhallyn: what would be the risk of DOS here? As I understand it /proc/sys/kernel/shm* are tied to the IPC namespace so changing these values shouldn't affect anything outside the container14:04
hallynstgraber: well they can set shmmax to host-max and fill it up...14:05
hallynthat's just tied to a tmpfs mounted on /dev/shm right?14:05
hallynso worst case they can fill up a tmpfs, but that *can* affect the host14:06
stgraberhallyn: right, but they can already fill the tmpfs at the moment, so I don't see how that's making things any worse14:06
=== Gorfi is now known as EA1GIY
zulstgraber/hallyn: is there examples of how to use the api stuff?14:12
stgraberzul: There are a bunch of binaries to show how the C api works and an example python script in python3-lxc14:12
hallynstgraber: agreed, def not worth the time to code a new config at the moment.  what do you think about /etc/apaprmor.d/abstractions/lxc/ pre-filled with some useful policy bits?14:13
hallynzul:  download stgraber's source tree or packages from ppa14:13
hallynexamples14:13
stgraberhallyn: that's pretty much what we have already no?14:13
stgraberstgraber@castiana:~$ ls /etc/apparmor.d/abstractions/lxc*14:13
stgraber/etc/apparmor.d/abstractions/lxc-container-default14:13
stgraber/etc/apparmor.d/abstractions/lxc-start-container14:13
stgraberhallyn: though for shm I'd just allow it for everyone as it's not making things any worse. The real problem here is tmpfs.14:14
zulstgraber:  is the source available somewhere?14:15
hallynstgraber: i think we should not pollute /etc/apparmor.d/abstractions as much,14:15
hallynstgraber: and document :)  but that's for later.  do you want to queue up the policy change when you get a chance, or should i?14:16
stgraberzul: ppa:stgraber/experimental the branch is lp:~ubuntu-lxc/ubuntu/quantal/lxc-api-and-python (tends to be rebased fairly often, so --overwrite is usually required)14:16
stgraberhallyn: I'll prepare the policy change and move things under abstractions/lxc/, I'll also add the policy change to the next SRU and get that uploaded (6 changes are way enough for one SRU)14:17
hallynstgraber: :)14:17
RoyKxnox: there was only one btrfs guy in Oracle, Chris Mason, and he has said he'll keep up his work with btrfs http://www.muktware.com/3678/btrfs-creator-chris-mason-leaves-oracle14:37
xnoxor he will disappear with internal work in the new workplace due to copyright assignment.14:37
hallyndude.  i hadn't heard he was leaving14:38
hallynor, i guess, had left :)14:39
RoyKxnox: he'll be working with storage in his new job as well, and according to the people in #btrfs, there doesn't seem to have been much change14:39
RoyKxnox: there are other developers too, you know ;)14:39
=== zyga is now known as zyga-afk
=== zyga-afk is now known as zyga
melodie_hi14:59
RoyKho14:59
melodie_I am not sure wether here is relevant for this question : there is a package "chkconfig" in Precise, it is obsoleted by the use of Upstart Jobs. what to do ?15:00
patdk-wknot so much as obsoleted, as it was never recommended15:01
patdk-wkit is just there to let rhel/centos people have an easier time15:01
ScottKpatdk-wk: It actively doesn't work now though.15:02
patdk-wkoh? heh :)15:02
melodie_this version has nothing to do with the one provide by rhel or fedora and it has a bug15:02
ScottKBut there are a number of packages that do something useful in Debian, but not Ubuntu and generally we just ignore them.15:02
melodie_patdk-wk, it asks for /sbin/insserv which is not there but in the /lib tree directory15:02
ScottKTrying to maintain a large blacklist of such packages isn't a cost effective use of engineer's time.15:03
melodie_ScottK, why not clean out the repos from unsuseful packages to make it easier to find the ones that are useful ?15:03
ScottKmelodie_: Don't bother trying to figure out how to fix it.  It won't work.15:03
patdk-wkya, sounds like it's limited to init.d, not upstart15:03
ScottKPrecisely.15:03
melodie_ScottK, sure, I have tried : I created a symlink to see what and the shell insulted me verbosely telling me that it was the Upstart Job work15:04
ScottKmelodie_: Historically sync blacklist maintenance has been a lot of work.15:04
ScottKSome recent changes might have made it more scalable.15:04
ScottKLet me ask about it.15:04
melodie_yes, for sure !15:04
melodie_I would be very happy to bring a contribution even small by pointing to such details15:05
ScottKI've asked for advice on the matter.15:07
melodie_ScottK, thanks, I'll stay connected here for a moment, incase you get an answer before this evening15:16
ScottKmelodie_: I'll remove it for the next release (quantal).  After an Ubuntu release packages are never removed (except for legal reasons and I only rember that happening once).15:19
melodie_ScottK, that is very good ! Is there a place where it is especially relevant to go, in order to point to such obsolete packages that could be removed for a next release of the distro ?15:21
ScottKFile a bug against the package and subscribe the ubuntu-archive team to the bug.15:21
melodie_ScottK, ok, I look15:22
ScottKmelodie_: Have a look at the top entry in https://launchpad.net/ubuntu/+source/chkconfig/+publishinghistory15:25
FunnyLookinHatIs anyone aware of plans to get php5.4 into 12.04 - or will it wait for 12.10 ?15:26
melodie_ScottK, thanks for the pointer15:26
melodie_the link...15:26
ScottKYou're welcome.15:27
ScottKFunnyLookinHat: 12.10.15:27
stgraberjjohansen: ping15:27
jjohansenstgraber: hey15:28
stgraberjjohansen: hey there, so I'm looking at blocking access to /proc/sys/kernel/* except for shm*. I tried "deny @{PROC}/sys/kernel/[^shm]* wklx," but that doesn't seem to work :) what am I missing?15:28
stgraberwhere "not working" shows up as everything being writable15:29
jjohansenstgraber: hrmm, that should block several things15:30
melodie_ScottK, ok got it, so I think I don't need to file a bug report ?15:30
ScottKmelodie_: Not for this one.15:31
stgraberjjohansen: our previous rule was "deny @{PROC}/sys/kernel/** wklx," which works great, except that it doesn't allow shm* and that's causing problems to some users15:31
jjohansenstgraber: you are looking more for @{PROC}/sys/kernel/[^s][^h][^m]* wklx,15:32
stgraberjjohansen: gah, indeed I am... :)15:32
melodie_ScottK, all right ! you are a very efficient server manager ! thanks15:32
stgraberjjohansen: and my test file started with "m", explaining why it was allowed :)15:32
melodie_going now15:33
ScottKImagine how efficient I would be if I was getting paid to do this. ;-)15:33
melodie_bye15:33
melodie_ScottK, same here15:33
jjohansenstgraber: lmk if that doesn't work and I'll dig into the compiled expression15:33
melodie_I have done remasters for pclinuxos for 3 years, now they have gone mad I'll continue with Ubuntu15:33
melodie_:D15:33
melodie_++15:33
melodie_:)15:34
stgraberjjohansen: looks like it's working. I ended up going with:15:38
stgraber  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,15:38
stgraber  deny @{PROC}/sys/kernel/*/** wklx,15:38
stgraberjjohansen: as for some reason "deny @{PROC}/sys/kernel/[^s][^h][^m]**" doesn't work and neither would "deny @{PROC}/sys/kernel/[^s][^h][^m]*/**"15:38
jjohansenstgraber: hrmm, I'll look into that, can you paste me the whole policy so I can be sure I don't have any differences to what you are trying15:40
stgraberjjohansen: http://paste.ubuntu.com/1076605/15:41
jjohansenstgraber: okay, thanks15:42
jjohansenstgraber: oh can you also pastebin me the test paths that where failing15:43
stgraberjjohansen: I tested with /proc/sys/kernel/shmmax (should be writable), /proc/sys/kernel/modprobe (shouldn't be writable) and /proc//sys/kernel/yama/ptrace_scope (shouldn't be writable)15:45
jjohansenstgraber: thanks15:46
=== dendrobates is now known as dendro-afk
keesstgraber: are you running that container without cap_sys_admin?15:56
stgraberkees: nope, the container has cap_sys_admin15:56
=== matsubara-afk is now known as matsubara
=== Lcawte|Away is now known as Lcawte
stgraberhallyn: tested the apparmor changes, everything looks good so uploading these to quantal, will then rebase lxc-api-and-python on that and will prepare the SRU16:03
stgraberhallyn: changes that will make it to that SRU: http://paste.ubuntu.com/1076669/16:24
hallynSpamapS: the proposed SRu fix for bug 989354 was incomplete.  To push the complete fix, I assume I need to use a new version # on top of the previous?16:25
uvirtbotLaunchpad bug 989354 in cgroup-lite "cgroup-lite and separated /usr " [Critical,Confirmed] https://launchpad.net/bugs/98935416:25
hallynstgraber: hm.  the dhclient one - that will continue to actually send its hostname then?16:26
hallynok yeah that sounds good16:26
hallyn(want to make sure that 'ssh containername.' will continue to work)16:27
stgraberhallyn: yeah16:27
hallynstgraber: list looks good.  odd that the LP#s are XX'd out16:27
stgraberhallyn: these are place holders, I need to file these bugs :)16:27
stgraberfor the dhclient stuff, lxc-ubuntu didn't have the mangling of dhclient.conf and AFAIK it works fine, it's only lxc-clone that was doing that sed call16:28
hallynoh, right, makes sense16:29
BinaryMasterQuestion: I am following the instructions on http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html  to install openLdap however /etc/ldap/schema is empty16:59
BinaryMasterany way to get a copy of the ldif files that should be there?17:00
hallynSpamapS: I've uploaded a new (complete) fix to precise-proposed for bug 989354, fwiw17:12
uvirtbotLaunchpad bug 989354 in cgroup-lite "cgroup-lite and separated /usr " [Undecided,Fix committed] https://launchpad.net/bugs/98935417:12
BinaryMasterldapadd: invalid format (line 12) entry: "olcDatabase=hdb,cn=config" anyone know what this error means?17:15
SpamapShallyn: I won't likely look at SRU's until next Wednesday17:21
hallynSpamapS: ok17:21
=== cpg|away is now known as cpg
uvirtbotNew bug: #1021411 in lxc (universe) "LXC should allow writting to /proc/sys/kernel/shm* as they are covered by the IPC namespace" [Wishlist,In progress] https://launchpad.net/bugs/102141118:06
uvirtbotNew bug: #1021416 in lxc (universe) "lxc-clone shouldn't be messing with dhclient.conf, causes conffile upgrade prompts on quantal" [Medium,In progress] https://launchpad.net/bugs/102141618:11
uvirtbotNew bug: #1021418 in orchestra (main) "Replace python-software-properties Depends with 'software-properties-common'" [Undecided,Won't fix] https://launchpad.net/bugs/102141818:11
=== cpg is now known as cpg|away
uvirtbotNew bug: #1021421 in lxc (universe) "Allow fstype=fuse.*, for all containers" [Wishlist,In progress] https://launchpad.net/bugs/102142118:16
koolhead17hello all18:19
=== zyga is now known as zyga-afk
=== cpg|away is now known as cpg
stgraberhallyn: debdiff for lxc sru: http://paste.ubuntu.com/1076870/18:26
uvirtbotNew bug: #1021428 in lxc (universe) "dh_apparmor runs against all binary packages, adding useless entries to lxc-dev's postinst/postrm" [Low,In progress] https://launchpad.net/bugs/102142818:26
uvirtbotNew bug: #1021429 in lxc (universe) "lxc-list should show frozen containers" [Medium,In progress] https://launchpad.net/bugs/102142918:31
=== dendro-afk is now known as dendrobates
stgraberhallyn: uploaded18:41
hallynstgraber: (hm, jjohansen isn't on, was trying to ping him as well)  i don't like the way we're having to do blacklists18:42
hallynthe @PROC/sys/ctl/[^s}[^h][^m] type stuff18:43
hallynsince jjohansen was asking for policy language improvements, here's something that coudl be made much better18:44
stgraberhallyn: oh yeah, that'd help a lot. Whitelisting single files is really a pain at the moment18:45
Davieyhallyn: If i wanted to create a tarball image for lxc usage, and inject it into lxc.. What would i do?18:47
hallynDaviey: well you can just cp it to /var/lib/lxc/<container>/rootfs which is what i usually do18:48
hallynDaviey: utlemming can probably tell you how to use cloud-init-files for it, using the lxc-ubuntu-cloud ubuntu template18:48
hallynis this for use from juju, or something else?18:49
hallynsee lxc-create -t ubuntu -h18:49
hallynsorry18:49
hallynlxc-create -t ubuntu-cloud -h18:49
hallynhm18:50
utlemmingubuntu-cloud lxc allows for user data...so concievably you could wget it via userdata18:50
hallynyeah, i thought there was an option to pass in user-data (not script), but there's not18:50
utlemmingit would be a pretty easy patch to allow for tarball injection18:50
hallynso, what utlemming said18:50
DavieySo why do we have ubuntu and ubuntu-cloud?18:50
hallynDaviey: is wget from user-data script feasible for you?18:50
Davieyshouldn't ubuntu-cloud become ubuntu?18:50
Davieyhallyn: what for?18:51
hallynDaviey: what for what?  you said you wanted to pass a tarball image into lxc.18:52
hallynDaviey: so is creating a lxc-ubuntu-cloud container, passing in a user-data script, and wgetting your tarball from that script, sufficient for what you need?18:53
hallynDaviey: i'm mostly ok with ubuntu-cloud becoming ubuntu, although ubuntu still has a few extra features (I think), and I sort of prefer to depend on debootstrap existing, than on the cloud images always being published.18:54
hallynalways being published in a way i can reliably consume18:54
Davieyhmm, interesting18:54
hallynplus, i like the fact that i can debootstrap from apt-cacher-ng mirror, which has gotten populated just by apt-get dist-upgrade on the host, as opposed to a completely separate d/l of 200M18:54
hallynstill, you may be right18:55
stgraberFWIW I clearly prefer lxc-ubuntu to lxc-ubuntu-cloud, having a local mirror I can usually build a new template in a matter of seconds and without relying on Canonical's network working properly18:59
hallynjjohansen: we were just talking about you.19:00
jjohansenhallyn: hrmmm, sorry I missed it, my vpn had some issues19:01
hallynjjohansen: if you take a quick look at for instance /etc/apparmor.d/lxc/lxc-default at bottom,19:02
jjohansenhallyn: in quantal?19:03
hallynjjohansen: and in http://paste.ubuntu.com/1076870/ stgraber had to add another deny entry "19:03
hallyn+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,19:03
hallynjjohansen: or precise i think19:03
hallynjjohansen: the point is that trying to whitelist a few files is cumbersome and almost guaranteed to have errors over time19:03
hallynjjohansen: if there was a way we could have a userspace parser generate stuff liek that for us,19:04
hallynso we could say "deny everything under /proc/sys/kernel except /shm"19:04
jjohansenhallyn: yes, its a big problem currently. There are some extension to make expressing things like that much easier on the roadmap but I doubt I will get to them this cycle19:05
=== cpg is now known as cpg|away
=== cpg|away is now known as cpg
BinaryMastertrying to compile from source and getting this error on ./configure configure: error: Unable to locate cc(1) or suitable replacement.  Check PATH or set CC.19:07
jjohansenhallyn: I can poke and see about rearranging some priorities19:09
hallynjjohansen: ok, i only mentioned it bc you had recently asked if there were any policy language improvements we could think of :)19:09
hallynjjohansen: thanks, i think it's in important one19:09
jjohansenhallyn: yep, thanks keep them coming19:09
=== cpg is now known as cpg|away
=== cpg|away is now known as cpg
sbeattieDaviey: is your team planning a quantal nova upload anytime soon?19:23
adam_gsbeattie: zul and i were just discussing. upstream has introduced (last week) a new build-depends that is going to need to go through MIR :|19:27
zulsbeattie: yeah i plan one tomorrow19:28
zuladam_g: i plan to revert the setuptools-git  for tomorrow and then plan to re-add it after the upload19:29
sbeattiezul, adam_g: okay, cool. I'm looking to get CVE-2012-3360 and 3361 (aka bug 1015531) taken care of in quantal.19:29
uvirtbotLaunchpad bug 1015531 in nova/essex "Remote arbitrary file corruption / creation flaw via injected files" [Critical,In progress] https://launchpad.net/bugs/101553119:29
uvirtbotsbeattie: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3360)19:29
zulsbeattie: it should aleady be in trunk right?19:29
Davieysbeattie: no, not short term19:30
BinaryMasterhas anyone here successfully installed openLdap on Ubuntu Server 12.04 ?19:30
koolhead17!openldap19:31
koolhead17!ldap19:31
sbeattiezul: yes, should be in trunk.19:31
ubottuLDAP is the Lightweight Directory Access Protocol. For more information, installation instructions and getting clients to authenticate via LDAP see https://help.ubuntu.com/community/OpenLDAPServer19:31
zulsbeattie: should be in upload for tomorrow then19:31
sbeattiezul: awesome, thanks.19:31
Davieyzul: Folsom-2 on target for tomorrow?19:32
koolhead17BinaryMaster, check the server guide i installed it at one go with previous release19:32
zulDaviey: we should be ready19:32
adam_gzul: how are we going to deal with setuptools-git ?19:33
zulDaviey: its been released already19:33
Davieysbeattie: Bah, sorry.. i missparsed your question..19:33
BinaryMasteryeah the new version is driving me nuts19:33
Davieyzul:  did you re-upload setuptools-git?19:34
BinaryMasterit uses rtc configuration19:34
zuladam_g: well either fix the debian/copyright and get it uploaded today and a rush MIR or back it out19:34
zulDaviey:  about to19:34
Davieyzul: If you upload it shortly, i'll review it.. and see if we can get speedy MIR'ing.. If not, back out the changeset.19:34
zulDaviey: ack19:34
* koolhead17 pokes adam_g & zul19:35
zulDaviey: ok setuptools-git uploaded with fixed debian/copyright19:37
Davieyta19:38
RichardRaseleySo, I am interested in setting up an OpenStack environment using JuJu and MaaS (as outlined here https://help.ubuntu.com/community/UbuntuCloudInfrastructure), but I only have 5 nodes to work with. Is it possible for me to co-locate some of the services but still use juju to do the deployment? Like if I wanted 1x for mass / juju 1x mysql, rabbitmq, keystone, horizon, and 3x nova nodes...19:45
koolhead17RichardRaseley, every service will run on separate instance/node19:49
RichardRaseleykoolhead17: That is too bad that juju is limited in that way - looks like I will have to do it manually.19:50
RichardRaseleyThanks.19:51
blackhand0321its not so hard if you are using vm's19:51
koolhead17RichardRaseley, its not bad, that is how its designed. juju works with service :)19:52
koolhead17SpamapS, correct me if am wrong here siir.19:52
RichardRaseleykoolhead17: Well, it is bad in this situation because it can't do what I'd like it to do.19:52
Davieyzul: did it have a watch file last time?19:52
zulDaviey: nope19:52
Davieyzul: ga dammit.. can you add a watch and get-orig-source please?19:53
zulDaviey: *sigh* sure19:53
koolhead17RichardRaseley, try with one less nova compute, it will still work19:53
blackhand0321he left..19:54
koolhead17blackhand0321, :(19:55
SpamapSdarn he left too fast19:55
SpamapSkoolhead17: there is a way to do it w/ less than 10 nodes19:55
blackhand0321I had a dev platform setup this morning running with 3 nodes19:56
koolhead17SpamapS, is there a blog/doc for that way around? It be cool19:56
koolhead17blackhand0321, you used Juju?19:56
blackhand0321yes19:56
SpamapSno19:56
SpamapSkoolhead17: its a huge hack19:56
koolhead17SpamapS, oooh19:57
koolhead17blackhand0321, i have single machine setup without juju though19:57
blackhand0321https://wiki.ubuntu.com/SecurityTeam/TestingMAAS19:57
koolhead17SpamapS, we have so many docs available so many places :)19:58
SpamapSkoolhead17: yes, this is not something we want to document.. we need to fix it19:58
blackhand0321I agree with the fix logic but just was noting it was possible19:59
koolhead17SpamapS, so we can run more than one service on a single VM19:59
SpamapSkoolhead17: well for VMs I suggest sizing them properly for one service. But for real machines, yes.20:00
Davieyzul: can be added later, but is there a reason not to have a py3 package?20:00
zulDaviey: i didnt think of it20:00
koolhead17SpamapS, okey20:03
zulDaviey:  ok uploaded20:04
=== dendrobates is now known as dendro-afk
=== dendro-afk is now known as dendrobates
hallynstgraber: did you see the email to lxc-devel with subject "set shmmax for container in lxc-execute"20:22
stgraberhallyn: yeah, I guess I should reply that it's going to be fixed by an SRU :)20:23
hallynstgraber: cool thanks :)20:23
=== cpg is now known as cpg|away
=== Aaton_off is now known as Aaton
=== matsubara is now known as matsubara-afk
=== zyga_ is now known as zyga
=== cpg|away is now known as cpg
=== cpg is now known as cpg|away
Davieyroaksoax: Can you triage bug 1021488 please?21:33
uvirtbotLaunchpad bug 1021488 in orchestra-modules "Please remove orchestra from Ubuntu" [Undecided,New] https://launchpad.net/bugs/102148821:33
roaksoaxDaviey: done!21:34
roaksoaxDaviey: should I subscribe to archive admins?21:35
=== MattJ100 is now known as MattJ
Davieyroaksoax: sure21:35
=== MattJ is now known as Guest89758
Davieyroaksoax: I'm about to do the AA bit, but i wanted a fellow developer to sign it off first.21:35
roaksoaxDaviey: ;)21:37
roaksoaxRIP Orchestra21:37
Davieyroaksoax: and.. it's gone21:40
Davieyroaksoax: feel a bit nostalgic21:40
Daviey:)21:40
roaksoaxDaviey: hahaha nah.... I barely remembered it existed after so much work on maas21:42
roaksoaxs/Orchestra/MAAS in myt head21:42
roaksoaxlol21:42
Daviey:)21:43
Davieyroaksoax: I don't want to break the news to fwereade.21:44
roaksoaxDaviey: hehe!! I cna do it21:44
roaksoax:)21:44
=== cpg|away is now known as cpg
smw_Hi guys. For some reason my server mounted the root as readonly on restart22:06
smw_how can I get log data?22:06
genii-aroundmount -o remount,rw /22:07
=== cpg is now known as cpg|away
smw_mount: cannot remount block device /dev/mapper/venice-root read-write, is write-protected22:08
smw_anyone know why that error would occur?22:09
Patrickdksounds self explanitory to me22:09
Patrickdksomeone write-protected it :)22:09
smw_Patrickdk, what does that mean?22:09
smw_Is that a hardware (such as raid controller) limitation?22:10
smw_write protected by what?22:10
PatrickdkI don't know, I don't own your server22:10
smw_any way to dig deeper? What are examples that would cause such an error?22:10
=== dendrobates is now known as dendro-afk
Patrickdkclicking write protect on a floppy disk, using a cdrom, ...22:11
Patrickdkif your using hardware raid, sounds like it's freaking out, so you should check it22:11
=== dendro-afk is now known as dendrobates
genii-aroundProbably want to do a fsck then reboot22:14
fwereadeDaviey: heh, consider the news broken; and my phlegmatic and dignified aspect to be the envy of all22:15
Davieyfwereade: Very noble!22:15
smw_Patrickdk, that is my guess truthfully22:17
asbysmw_, for protection ext3 can mount itself read only to prevent data loss. Try a forced fsck and reboot.22:23
asbyIf not helping check disk, raid, san, whatever you use to mount your root filesystem from.22:24
smw_asby, I rebooted without fscking already22:25
smw_need to wait about 40 min for it to come back up22:25
smw_I will fsck it next chance I get22:25
smw_thank god this is the dev/stage server...22:26
smw_It is causing a great amount of annoyance... but not a catastrophe22:26
asbyTell me about annoyance. I have a server, with a fresh (and updated) install of 12.04 and the system will only reboot when I use a power cycle. Anything else (shutdown -r now/shutdown -h + power on) ends in hanging after init-bottom script.22:28
smw_asby, did fsck (damn that reboot was quick)22:30
smw_/dev/mapper/venice-root: recovering journal22:30
smw_fsck.ext4: Bad magic number in super-block while trying to re-open /dev/mapper/venice-root22:30
smw_e2fsck: io manager magic bad!22:30
smw_asby, and when I say I did an fsck... I really mean fsck looked at it and threw up its hands22:30
asbyproblem with superblock or hardware related?22:32
smw_asby, no idea22:33
smw_this makes it look like the superblock22:33
asbytry a dumpe2fs /dev/mapper/venice-root | grep superblock22:33
asbysuperblock is stored on multiple places in ext2/ext3. Don't know about ext4 though22:34
smw_wonderful...22:34
smw_fsck unmounted /22:34
smw_no sudoers file... looking for the root password to see if / is remountable22:36
asbyYou can try this procedure: http://www.cyberciti.biz/faq/recover-bad-superblock-from-corrupted-partition/22:38
smw_asby, nice22:39
asbyAlthough it also could be hardware related. In that case I hope you have hardware support and a good backup/restore procedure ;)22:39
smw_asby, I am newly in charge of making such things (worked here a month, this server has been running for years)22:42
smw_time to call the isp and get the server rebooted22:42
asbysmw_, goodluck with it, it is bedtime here, so ttyl22:48
smw_bye, thanks for your help22:50
=== arosales1 is now known as arosales
smw_what do people here use for monitoring?22:57
smw_I like I am thinking of installing nagios22:57
=== Lcawte is now known as Lcawte|Away
qhartmanIt looks like the apt repo for us-west-1 for ec2 is having issues. Is this just me or is there something legitimately amiss?23:50
qhartmanhm, seems to be fixed already. Was getting a 403 on one of the files that "apt-get update" was trying to pull.23:54

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!