| chaos_zero | hello i have a server emergency (lol njot actually that seriour for the world, but serious for me) | 01:03 |
|---|---|---|
| chaos_zero | i was trying to clean up all these ip rules i made that did not work so i used the flush command and now the network does not work correctly or do anything even after a server reboot | 01:04 |
| chaos_zero | can i restore to like it was before the flush | 01:04 |
| qman__ | chaos_zero, if you flushed the rules you also need to set an accept input and output policy | 01:42 |
| qman__ | sudo iptables -P INPUT ACCEPT; sudo iptables -P OUTPUT ACCEPT | 01:43 |
| MoleMan | Can anyone think of any reasons SSH keys may not work for a specific user? the authorized_keys file is identical to that used and working for two other users (bar owner and group obviously) | 01:43 |
| qman__ | permissions | 01:43 |
| MoleMan | 664, same for all 3 users which have SSH keys set... | 01:43 |
| qman__ | ~/.ssh must be 700, ~/.ssh/authorized keys must be 600 | 01:43 |
| qman__ | well, it's supposed to be anyway | 01:44 |
| MoleMan | #644 not 664. okay, I can change them, but too high permssisions shouldn't matter? and is working for two other users like that so :/ | 01:44 |
| qman__ | sshd cares about that | 01:45 |
| qman__ | if your keys aren't secured it won't work | 01:45 |
| MoleMan | but why would it work for two users, but not a third? | 01:45 |
| qman__ | especially ~/.ssh and your private key | 01:45 |
| * MoleMan is fixing anyway | 01:46 | |
| MoleMan | I don't actually have any keys set on the server, only authorised keys, and am using PuTTY from windows... | 01:46 |
| qman__ | could be the user's shell | 01:47 |
| qman__ | is it a valid shell? | 01:47 |
| MoleMan | I believe is bash, same as the others, and I can login and interact properly if I manually enter password... | 01:48 |
| qman__ | ok | 01:48 |
| MoleMan | have just fixed the permissions, about to try again | 01:48 |
| MoleMan | -_- it worked... | 01:48 |
| MoleMan | must have been the directory permissions... I think they were different... | 01:49 |
| MoleMan | thanks :) | 01:49 |
| qman__ | yeah, that one's not so obvious if you haven't seen it before | 01:49 |
| qman__ | the other issues have better indicators | 01:49 |
| MoleMan | I know I'm probably about to get told that it's bad practice to actually have the www-data account with a password and changed shell and in a usable condition etc blah blah blah | 01:52 |
| MoleMan | but how could I give the www-data full access to run 'service apache2 reload' without errors? | 01:53 |
| MoleMan | because the service should start using permissions as www-data, but it still requires root/sudo to be able to start/stop/reload it without errors? | 01:54 |
| qman__ | add a sudoers rule to specifically allow www-data to do only that | 01:54 |
| qman__ | but yes, that's still an incredibly bad idea | 01:54 |
| qman__ | at the very least, set up the keys and remove the password | 01:55 |
| qman__ | and make sure you use absolute paths for the commands | 01:56 |
| MoleMan | bearing in mind it isn't a production server, is just a random server hosting a few unused sites etc in the other room, what are the main issues with doing so? (I know its a bad idea, I just never looked properly into why) I mainly added the password for FTP access because I was getting annoyed by permissions... | 01:56 |
| qman__ | that's an even worse reason for doing so | 01:56 |
| qman__ | just create a new user, add them to the www-data group, done | 01:56 |
| qman__ | www-data shouldn't actually own anything it doesn't absolutely have to anyway | 01:57 |
| qman__ | your website files should be owned by root or the user who maintains them | 01:57 |
| qman__ | www-data should merely have read access through world permissions | 01:57 |
| qman__ | the main problem is that websites are not just static pages anymore | 01:58 |
| qman__ | and scripts, especially php scripts, are vulnerable to attack | 01:58 |
| qman__ | and your scripts run as www-data | 01:58 |
| qman__ | so www-data should not be able to do anything destrucgive | 01:58 |
| qman__ | destructive* | 01:58 |
| MoleMan | but it has to be able to write to files for certain php files to work and do what theyre meant to... and it has to own/be able to access its on config surely? | 01:59 |
| qman__ | no | 01:59 |
| qman__ | if you're allowing writing, it should be strictly limited | 02:00 |
| qman__ | to a single directory or file | 02:00 |
| qman__ | and it should be able to read its config through world-read, like most everything else | 02:00 |
| qman__ | the www-data user is not trustworthy and should be treated as such | 02:00 |
| MoleMan | hmmm, I will take what has been said on-board :) and will act upon it at some point... | 02:01 |
| MoleMan | I think both my PC and server are due a rebuild sometime soon anyway | 02:01 |
| qman__ | while you're at it, you shouldn't use FTP either | 02:02 |
| qman__ | SFTP is in all ways superior | 02:02 |
| MoleMan | if so, why does FTP appear to be the more commonly used standard? or is that either my misconception, or it spreading across from windows servers? | 02:03 |
| qman__ | ignorance, mostly | 02:04 |
| qman__ | http://mywiki.wooledge.org/FtpMustDie | 02:04 |
| qman__ | if you want some more substantial reasoning | 02:04 |
| MoleMan | yet large webhosts etc surely have no excuse for ignorance, yet give their users FTP not SFTP? or is that more because SFTP uses actual user accounts, where FTP can be configured alternatively? | 02:05 |
| qman__ | no, just ignorance and laziness | 02:05 |
| qman__ | it's rampant | 02:05 |
| MoleMan | (if I'm coming across as argumentative its not the intention, this is just the style I discuss things in to understand better) | 02:05 |
| MoleMan | just thought I'd throw that out there, as people have had problems with my attitude before when I'm just trying to discuss and understand/learn :) | 02:06 |
| qman__ | especially if you're using SSH already, there's no reason not to use SFTP | 02:06 |
| qman__ | you already have it, your users are already configured | 02:06 |
| qman__ | and restricting users to SFTP and not SSH is easier than ever since about a year and a half ago | 02:07 |
| qman__ | there's a built in sftp-only feature | 02:07 |
| qman__ | and chrootdirectory | 02:07 |
| qman__ | and there's winscp and filezilla for windows users | 02:07 |
| MoleMan | I know FileZilla supprts SFTP as a client, my comment about windows was more to whether it is possible to host a SFTP server on windows? | 02:08 |
| qman__ | yes, with filezilla server | 02:09 |
| qman__ | there are other programs too | 02:09 |
| qman__ | I don't think microsoft has an SFTP server in IIS yet | 02:09 |
| qman__ | but enabling FTP in it requires significant hoop-jumping too | 02:10 |
| qman__ | about the only thing FTP has that SFTP doesn't is anonymous file uploads/downloads, but that's easily accomplished with HTTP and a simple website, and is usually a bad idea anyway | 02:12 |
| qman__ | and you could always create a public user account too | 02:12 |
| MoleMan | yeah, I agree its a bad idea, and surely can be achieved by creating an account 'anonymous' witha blank/obvious password anyway | 02:13 |
| MoleMan | beat me to it :P | 02:13 |
| MoleMan | considering anonymous FTP actually theoretically uses your email adress doesn't it? or something like that... I can't remember | 02:13 |
| ScottK | http://mywiki.wooledge.org/FtpMustDie | 02:14 |
| MoleMan | ScottK: yeah qman__ had already linked and I am reading, had just popped back to comment that I like the blunt terminology of 'your wiki page about FTP protocol being shit' | 02:18 |
| ScottK | There's really no excuse for ftp anymore. | 02:19 |
| MoleMan | awkward moment when I can't even see what FTP server I have installed to remove... I thought it was SFTPD or something, but apparently that isn't there... | 02:22 |
| MoleMan | can't even remember what I was doing anymir | 02:24 |
| MoleMan | more# | 02:24 |
| qman__ | so, is there any way to find out where my server is hanging when there's no screen output and no logs written? | 02:40 |
| qman__ | I know it gets past fsck, because I've seen it doing the disk activity checking the disks | 02:40 |
| qman__ | and the interface is up and pings, but that's it | 02:41 |
| qman__ | I get a blank screen with a blinking cursor 2/3 the way down | 02:41 |
| qman__ | and I'm already booting without quiet splash and with nomodeset noplymouth | 02:42 |
| john206 | Hi guys, can anyone help me out with ks.cfg file? | 03:14 |
| john206 | anyone? :) | 03:15 |
| john206 | out of 100 people here not even one volunteer cool :) | 03:17 |
| === blkperl_ is now known as blkperl | ||
| Alfafa | Hi anyone have problems with maildrop making temporary failures since yesterday? (I thought it could be updated packages. But only gnutls related packages + cron was updated - and I don't see the maildrop binary linked to gnutls libraries) | 06:42 |
| Alfafa | It seems there is some how a problem. When I now run maildrop -d <user> I just get a message like this: ERR: authdaemon: s_connect() failed: No such file or directory | 06:53 |
| Alfafa | The only packages upgrade between working and nonworking is: libgnutls-openssl27:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), libgnutls26:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), libgnutls26:i386 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), libgnutlsxx27:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1), cron:amd64 (3.0pl1-120ubuntu3, 3.0pl1-120ubuntu4), libgnutls-dev:amd64 (2.12.14-5ubuntu3, 2.12.14-5ubuntu3.1) | 06:53 |
| Alfafa | I haven't had the authdaemon installed because I don't use it, but maybe maildrop tries to connect to it via gnutls and something in gnutls is changed/fails ? | 06:54 |
| moothecow | Hi, I'm a bit confused. Since when does cache make it into swap? Either that, or top is hopelessly incorrect. | 06:59 |
| moothecow | We run online backup software on it in java, there's 2 java processes, according to top they use 38.3 and 8.4% of the memory (4GB). Yes, there's 3.8G used (of which 1.6 buffers) and 2.7G swap in use (adding all mem percentages in top comes only around 50% of memory) | 07:01 |
| Alfafa | moothecow: Didn't see your original question. Is the problem that the processes is spinning cpu? | 07:18 |
| moothecow | no the problem is there's memory in use that I can't related to a process | 07:19 |
| moothecow | have stopped the backup software now, according to free there's still about 3G memory used. Swap is nearly empty now (only 71MB) | 07:19 |
| moothecow | sorting by memory in top (M) lists 3 processes with 0.1% mem, the rest is at 0.0... | 07:19 |
| === smb` is now known as smb | ||
| moothecow | so there appears to be 3G in use by air or something like that :) | 07:20 |
| _ruben | moothecow: if you find a way to track back that kind of memusage to something useful, let me know ;) | 07:20 |
| _ruben | have had similar challenges in the past as well :) | 07:20 |
| moothecow | Must be a memory leak or something... find it quite amazing anyways, there's a community grid client on it | 07:21 |
| moothecow | oh world community grid, that's it... but according to top that's hardly using memory, it seems to have died cause it should use a lot of cpu :D but it's idle | 07:21 |
| _ruben | it decided to "use" mem instead of cpu apparently | 07:22 |
| moothecow | perhaps, but stats don't reflect that :/ | 07:22 |
| _ruben | i (also) don't understand how the system could claim memory as being used, but not "know" what's using it, apparently | 07:22 |
| moothecow | _ruben: can buffers end up in swap? afaik they shouldn't | 07:22 |
| _ruben | that'd be really strange | 07:23 |
| _ruben | the whole idea about cache and buffers to make things faster, not slower ;) | 07:23 |
| moothecow | yea but it runs iet(d) (iscsi enterprise target) in fileio mode | 07:23 |
| blinkiz | Hi. I need examples how to get prefix delegation to work from a dhcp v6 server. Am talking http://tools.ietf.org/html/rfc3633 | 07:24 |
| _ruben | eew ... ietd | 07:24 |
| moothecow | never quite understood which is faster anyways fileio seems to do much more caching | 07:24 |
| moothecow | yea looking at switching to lio | 07:24 |
| moothecow | unfortunately, they have removed vaai from the roadmap... seems to be implemented but only on the paid version | 07:24 |
| _ruben | might research lio someday, using scst currently | 07:24 |
| moothecow | lio has error corrections etc. (iet doesn't - not sure on scst I really like the design (never used it tho') but it was never allowed into the kernel) | 07:25 |
| moothecow | they include lio instead... think scst would have added some stuff for the general scsi stack as well so that's unfortunate | 07:25 |
| _ruben | scst builds fine through dkms, for optimal performance you'd need to apply some small kernel patches tho, which i dont bother with | 07:26 |
| moothecow | lio on the other hand had vaai on the roadmap for the free version at some point (but it's gone and can't find any mention of it other than on the commercial version) | 07:26 |
| moothecow | so that kinda had me excited for nothing :D | 07:27 |
| moothecow | lio and scst should perform similar iirc | 07:27 |
| _ruben | there's been quite some discussions on the scst mailinglist about getting it mainlined, the scst devs had the feeling they weren't treated in a fair manner, and lio just getting shoe-horned in instead | 07:29 |
| moothecow | I read the kernel posts on that | 07:30 |
| moothecow | apparently he insisted on using /proc, all they wanted was him to use the new standards (sysfs, etc.) lio uses configfs (actually getting quite fed up by all the new fs's, how many do we need... there used to be just /proc :D) | 07:31 |
| _ruben | it crossed a shitload of mailinglists ;) | 07:31 |
| _ruben | scst has moved to sysfs quite some time ago (mostly due to that discussion) | 07:31 |
| _ruben | procfs is still left for backwards compat and stuff | 07:32 |
| _ruben | (compiletime option) | 07:32 |
| moothecow | hmm but now that they choose lio they won't move soon I presume... :/ scst offers a lot of advantages for the entire scsi stack tho' | 07:32 |
| moothecow | are you aware of any distro's using it by default? | 07:32 |
| _ruben | there's tons of freenas and likes that ship it i think, never really looked into any of those | 07:33 |
| moothecow | _ruben: freenas is freebsd :) | 07:34 |
| moothecow | unfortunately oracle closed zfs before implementing encryption, it's the only feature I miss that's been released since then. Never got why they didn't port it, btrfs is nowhere near zfs capabilities | 07:36 |
| moothecow | usually resort to freenas for zfs tho' | 07:36 |
| _ruben | moothecow: yeah, didnt mean the freenas project specifically, but more like a global name for all those storage appliances out there | 07:40 |
| moothecow | I saw a product named comstar or something like that once, I suspect they use it too. It creates virtual tape drives over iscsi. You inject 'tapes' into it (just image files from that I can tell) and you can actually just write those image files to tape again. Never quite got why people want backup2disk like that (with virtual tape emulation et all) but the idea was nice | 07:42 |
| _ruben | isn't comstar solaris' iscsi stack? | 07:44 |
| moothecow | eh my brain needs to wake up ... perhaps they share names | 07:45 |
| RoyK | _ruben: iscsi target, not initiator (afaik) | 07:45 |
| _ruben | COMSTAR – an enterprise SCSI target system supporting iSCSI/iSER/FC/FCOE | 07:45 |
| _ruben | as listed on openindiana site | 07:45 |
| RoyK | yes... target | 07:46 |
| _ruben | i'd look into openindiana for a our storage clusters, if only i could be arsed to learn a new os :P | 07:46 |
| RoyK | _ruben: but iirc COMSTAR isn't in use for s10, and maybe not for s11 | 07:46 |
| _ruben | RoyK: woulnd't know, never used any of it ;) | 07:47 |
| RoyK | seems comstar is there in s11 http://docs.oracle.com/cd/E23824_01/html/E24456/storage-7.html | 07:47 |
| moothecow | Hmm that much different from opensolaris? | 07:47 |
| moothecow | illumos is a fork of opensolaris by nexentastor iirc | 07:47 |
| _ruben | nexentastor has been on my radar as well | 07:47 |
| RoyK | moothecow: not really, nexenta is part of the illumos project, but they never started it | 07:48 |
| RoyK | moothecow: it all started with a fork from opensolaris to openindiana, then illumos was separated to take care of OS/Net (kernel + vital userspace stuff) | 07:48 |
| RoyK | moothecow: now openindiana is lacking developers to continue support of the rather large amount of packages available, and SmartOS or OmniOS may be better choices for future installations | 07:50 |
| RoyK | (according to Alasdair Lunden, the original OI founder) | 07:51 |
| === matsubara-afk is now known as matsubara | ||
| efpe | hi | 08:18 |
| moothecow | RoyK: thx for the info :) | 08:19 |
| moothecow | still hoping oracle will release ZFS... but I'm not going to hold my breath on it :D. It would immediately fulfill their desire for an enterprise FS on linux tho' | 08:20 |
| efpe | i have a problem with booting a half-hardy/half-karmic system | 08:20 |
| moothecow | efpe: err half? | 08:20 |
| efpe | it there a change somebody can help me? | 08:20 |
| efpe | moothecow: yes :/ | 08:20 |
| efpe | our old sysops made this :P | 08:20 |
| moothecow | do-release-upgrade f* up? | 08:20 |
| efpe | http://www.efpe.hu/ubi/ | 08:20 |
| efpe | moothecow: that will be the next step.. but i have to boot the system :P | 08:21 |
| efpe | mountall hangs after "fhs mounted" | 08:21 |
| moothecow | can't do much with the screenshot, see processes exiting but the reason why is probably ^ | 08:21 |
| efpe | i can get a shell with sulogin (or init=/bin/bash) and i'm able to remount the filesystem with rw | 08:22 |
| efpe | when i run mountall (without initctl), it returns with 0 | 08:23 |
| moothecow | did it used to boot fine? | 08:23 |
| moothecow | I'm a lazy bofh... I'd just boot with a livecd, chroot into the install and have it do do-release-upgrade :P | 08:23 |
| moothecow | might want to backup the import stuff first | 08:23 |
| efpe | great question.. this server had 5-600 days uptime | 08:23 |
| efpe | moothecow: yep, this will be the next step but i thought somebody maybe can help... | 08:24 |
| efpe | i'm not an expert of the event based booting.. | 08:24 |
| efpe | the interesting part is that the init is able to mount the swraid | 08:25 |
| efpe | as you can see here: http://www.efpe.hu/ubi/boot/ | 08:26 |
| moothecow | efpe: yea found those... the 'mountall goal changed from start to stop' looks interesting too | 08:26 |
| moothecow | searching that line gives a couple of launchpad links, you might want to delve into those | 08:28 |
| efpe | oh, okay, thanks :) | 08:29 |
| efpe | i found interesting the "mountall state change from post-stop to waiting" | 08:29 |
| moothecow | efpe: http://wiki.prgmr.com/mediawiki/index.php/Upstart_troubleshooting | 08:33 |
| moothecow | he added --verbose in grub, mount process dies there too because of missing locale | 08:33 |
| efpe | hmm, the screenshots contains the --verbose and --debug options too :P | 08:34 |
| efpe | but this link looks like interesting | 08:34 |
| moothecow | yea but your mount process unfortunately doesn't say why it dies (it even says exited *normally* :D) | 08:35 |
| efpe | yep that's the interesting part... | 08:35 |
| efpe | btw my locale looks okay :( | 08:36 |
| moothecow | i'd still just upgrade it :P | 08:36 |
| moothecow | running half/half might be the issue | 08:36 |
| efpe | yes :( | 08:36 |
| efpe | but i'm afraid i have to find a solution :( | 08:36 |
| moothecow | some old version of a process might just return something a new version of a script doesn't expect or something like that | 08:37 |
| efpe | this a the nfsroot/tftpd/etc server in our network | 08:37 |
| efpe | and it has a second node which runs for now.. | 08:37 |
| efpe | i'm afraid when the upgrade will be done, something will go wrong | 08:37 |
| efpe | moothecow: i think you are right :( | 08:37 |
| moothecow | maybe but it's easy to backup linux machines :) | 08:40 |
| === Aaton_off is now known as Aaton | ||
| moothecow | and it's probably better troubleshooting an issue that needs to be handled than one that might just magically disappear with an upgrade | 08:40 |
| efpe | moothecow: :D | 08:41 |
| === Aaton is now known as Aaton_off | ||
| efpe | hmm | 08:42 |
| efpe | http://www.efpe.hu/ubi/waiting.png | 08:42 |
| efpe | another interesting thing... | 08:42 |
| moothecow | isn't /tmp in tmpfs? | 08:45 |
| Daviey | jamespage: Which packages are you thinking of? | 08:48 |
| jamespage | Daviey, restlet and simple-http | 08:49 |
| Daviey | jamespage: I'm gonna reject them. | 08:49 |
| jamespage | Daviey, thanks :-) | 08:49 |
| jamespage | Daviey, they are deps for the floodlight openflow controller work | 08:50 |
| Daviey | jamespage: ok | 08:50 |
| efpe | moothecow: there's no /tmp in /etc/fstab | 08:51 |
| moothecow | hmm one wonders why it wants to mount it then, but not familiar enough with ubuntu's init scripts | 08:51 |
| efpe | me neither :( | 08:52 |
| efpe | another thing is i can get a console with sulogin | 08:53 |
| efpe | mount says it's readwrite, but it's readonly | 08:53 |
| efpe | moothecow: is it possible to use standard booting mechanism like sysv? | 08:55 |
| moothecow | I dunno, I just run ubuntu on some servers. In theory you can make it run sysv obviously, question is if ubuntu has support for it or if it means you'll have to write the entire init scripts yourself (and more importantly, maintain them) | 08:56 |
| efpe | moothecow: you're right | 08:59 |
| moothecow | kinda like you can run half/half in theory too, but nobody is going to support it ;) | 08:59 |
| efpe | :D:D | 08:59 |
| Daviey | jamespage: is restlet really released under all of these, Apache-2.0 or CDDL or EPL-1.0 or LGPL-2 or LGPL-2.1 ? | 09:01 |
| moothecow | is the machine complex? You could just exclude your nfs export dirs from backup and thus backup the import dirs like /etc, /lib, /usr, /opt, /var, etc., boot livecd, chroot into the system (make sure proc, sys, etc. are mount -o bind to chroot) and try upgrading, if it doesn't work boot live cd again, wipe the dirs and restore them from tar | 09:01 |
| Daviey | jamespage: wow, http://www.restlet.org/about/legal | 09:01 |
| jamespage | Daviey, apparently so - and the headers are all in place on every file to sate so | 09:01 |
| jamespage | Daviey, yeah - I was surprised as well | 09:01 |
| jamespage | Daviey, the most awkward thing about restlet is how I have to generate the orig.tar.gz | 09:04 |
| Daviey | jamespage: You've left debian/maven.* boilterplate there.. that is convention for maven packages, right? | 09:04 |
| jamespage | Daviey, yeah | 09:04 |
| jamespage | it appears to be | 09:04 |
| Daviey | jamespage: yeah, i was just grokking the get-orig script :) | 09:04 |
| jamespage | the maven-debian-helper gets confused otherwise | 09:04 |
| efpe | moothecow: i forgot to mention we use drbd :) | 09:05 |
| jamespage | Daviey, its still built from official source artifacts - just ones pulled and verified from the central maven-repo | 09:05 |
| efpe | and the other node is half/half :D | 09:05 |
| moothecow | is there anything important on the machine that isn't on the other node? You might just try reinstalling it, get it connected with drdb etc and make it master then do the same with the other node :) | 09:06 |
| Daviey | jamespage: Yeah, looks good.. I was suprised to see the ^M carriage returns.. :) | 09:06 |
| jamespage | Daviey, thanks v much | 09:08 |
| jamespage | Daviey, lol | 09:08 |
| jamespage | I love working with Java ;-) | 09:08 |
| efpe | moothecow: yeah, i should do that | 09:09 |
| moothecow | I take it you mean the coffee variant of it :P | 09:09 |
| efpe | :D | 09:09 |
| === zyga is now known as zyga-afk | ||
| === cpg is now known as cpg|away | ||
| === daker__ is now known as daker_ | ||
| ivoks | zul: around? | 10:23 |
| === daker__ is now known as daker_ | ||
| === matsubara is now known as matsubara-afk | ||
| Daviey | ivoks: zul won't be around for a bit.. can anyone else help? | 10:54 |
| ivoks | Daviey: i was wondering if anyone had success with openstack on arm | 11:03 |
| === zyga-afk is now known as zyga | ||
| Daviey | ivoks: YES | 11:30 |
| Daviey | ivoks: zul has a patch for libvirt on highbank. | 11:31 |
| ivoks | Daviey: hm... i have problems before libvirt kicks in | 11:33 |
| ivoks | Daviey: i'll talk to him once he's online | 11:33 |
| Daviey | k | 11:33 |
| Daviey | ivoks: it's probably debian bug 670680 ? | 11:35 |
| uvirtbot | Debian bug 670680 in src:python-greenlet "armhf sigsegv's on task switch" [Important,Open] http://bugs.debian.org/670680 | 11:35 |
| ivoks | Daviey: no, issues are with preparing the disk image for the instance | 11:36 |
| ivoks | Daviey: nbd never gets properly created | 11:36 |
| ivoks | Daviey: i'm interested to see if he had some hacks in that area before i dig into the code | 11:37 |
| ivoks | Daviey: for some reason, nova keeps trying mounting whole disk, instead of partition | 11:37 |
| Daviey | hum, interesting | 11:38 |
| zul | ivoks: whats up? | 11:48 |
| ivoks | zul: i was wondering if you had problems with starting instacnces on openstack on arm | 11:49 |
| ivoks | zul: in my case, when nova starts preparing the instance image, it fails with error 32 when mounting nbd15 as rootfs | 11:50 |
| zul | ivoks: i did...i was able to get as far as starting instances but i had veth problems that need to be fixed on both x86/arm first | 11:50 |
| ivoks | zul: but the problem happens much sooner | 11:50 |
| zul | on quantal? | 11:50 |
| ivoks | precise | 11:50 |
| zul | oh....i was working on quantal | 11:51 |
| ivoks | hm... with newer openstack, right | 11:51 |
| zul | right | 11:51 |
| ivoks | hmph hmph... | 11:51 |
| zul | you need a fix for libvirt and greenlet and euca2ools | 11:51 |
| ivoks | i don't get to see libvirt at all :) | 11:52 |
| ivoks | and greenlet i have fixed | 11:52 |
| ivoks | so... this is the failure | 11:54 |
| ivoks | nova-rootwrap mount /dev/nbd14 /var/lib/nova/instances/instance-00000009//rootfs | 11:54 |
| ivoks | that fails | 11:54 |
| ivoks | but... i can see problems popping much sooner than that stage | 11:54 |
| zul | hmmmmm... | 11:54 |
| zul | have you tried using libguestfs instead? | 11:55 |
| ivoks | nope | 11:55 |
| ivoks | i mean | 11:59 |
| ivoks | even this fails: | 11:59 |
| ivoks | resize2fs /var/lib/nova/instances/_base/867af04238fd6763792861f54013e3a41c95d6a1_2 | 11:59 |
| ivoks | but this is where it starts: | 12:00 |
| ivoks | qemu-img resize /var/lib/nova/instances/_base/867af04238fd6763792861f54013e3a41c95d6a1_2 214748364 | 12:00 |
| ivoks | 8 | 12:00 |
| ivoks | thank you c/p | 12:00 |
| ivoks | qemu-img resize /var/lib/nova/instances/_base/867af04238fd6763792861f54013e3a41c95d6a1_2 2147483648 | 12:00 |
| ivoks | this fails with exit code 8 | 12:00 |
| ivoks | cause that over there is not partition, but a disk | 12:00 |
| ivoks | ok, if you haven't have this problem, i'll dig into the code to see what's going on | 12:01 |
| ivoks | what's the libvirt fix you are talking about? | 12:02 |
| ivoks | cause, it looks like libvirt creates the image | 12:04 |
| ivoks | lunch time... i'll be back in 30 minutes | 12:05 |
| === K4k_ is now known as K4k | ||
| RoyK | moothecow: ZFS is released under CDDL, regardless of what Oracle is doing, but that doesn't help Linux users, since CDDL and GPL aren't compatible | 13:09 |
| ScottK | RoyK: Unless you can afford lawyers like Google, I don't think it's safe to think a Free license is going to be enough you don't have to worry about what Oracle does. | 13:11 |
| RoyK | ScottK: I don't think it's healtyh to have that amounts of paranoia - there are thousands of installations around with Illumos-based OSes, some, like NexentaStor, with commercial support | 13:12 |
| ScottK | Given what just happened with Java, I think it's reasonable concern for foreseeable risk. Not everyone will agree, of couse. | 13:13 |
| ScottK | ... course. | 13:13 |
| RoyK | if Oracle wanted to sue the storage people using CDDLed ZFS, they would have done it a long time ago | 13:13 |
| RoyK | what java thing? there have been several | 13:14 |
| ScottK | Up until not so long ago you might have made the same statement about Java. | 13:14 |
| ScottK | The lawsuit that they filed and totally just lost against Google. | 13:14 |
| RoyK | where Google had used code from Java in Android? | 13:14 |
| RoyK | and thereby broken the license? | 13:15 |
| ScottK | http://www.groklaw.net/staticpages/index.php?page=OracleGoogle | 13:15 |
| ScottK | That case, but the one where they hadn't broken any license. | 13:15 |
| moothecow | RoyK: no it isn't, it's closed since version 29 | 13:15 |
| ScottK | Or to the extent code was found it was totally deminimus and clearly not intentional. | 13:16 |
| RoyK | moothecow: Oracle's ZFS is closed, yes, but Illumos' ZFS has the same stuff, minus encryption | 13:16 |
| ScottK | The bigger concern is that Oracle discovered the novel theory that APIs are copyrightable. | 13:16 |
| moothecow | RoyK: yes, that's because it stuck at version 28, just like the bsd, zfsonlinux and other implementations | 13:16 |
| ScottK | Fortunately the judge said they were wrong. | 13:16 |
| RoyK | moothecow: and it will be stuck at version 28, because illumos has moved away from that versioning scheme, for very good reasons | 13:17 |
| ScottK | But it's evidence that just because nothing you know about the law right now makes you think you're at risk, there's no guarantees Oracle won't come up with some new craziness. | 13:17 |
| moothecow | RoyK: then they better ditch the name ZFS too ;) | 13:17 |
| RoyK | ScottK: oh - that's pretty bad... | 13:17 |
| RoyK | moothecow: not really, it was released under CDDL under that name | 13:17 |
| ScottK | Yeah. | 13:17 |
| RoyK | why are you guys so paranoid? it won't make much difference if they call it IlluFS, it's the same thing | 13:18 |
| moothecow | RoyK: yes, but once implementations start to differ, bad things will happen and so they can no longer use ZFS as the name (in my humble opinion - and Oracle will probably force them at that point) | 13:18 |
| ScottK | Asking for renaming is not unreasonable. | 13:18 |
| RoyK | I can't find that article, but the new versioning scheme will be tag based, allowing different implementations, potensially with different features, to co-exist | 13:20 |
| RoyK | anyway - asking me to rename Illumos ZFS in #ubuntu-server won't help much ;) | 13:20 |
| moothecow | RoyK: great - and who decided that? They have *NO* rights on ZFS whatsoever. - I'm not asking you to do anything ;) just stating that if they change / add features it's not ZFS anymore, Oracle dictates that featureset, as well as the implemenation specifics etc. I'm also not saying anything is wrong with that. | 13:21 |
| RoyK | moothecow: have you read CDDL? | 13:21 |
| ScottK | But as RoyK suggests, this isn't the place it'll get sorted out. | 13:22 |
| xnox | well ZFS is proprietary now. The last revision under SUN was under CDDL, the later rivisions which add e.g. encryption and other bits have not been released | 13:32 |
| xnox | so e.g. FreeBSD implementation is stuck at the obsoleting ZFS revision.... | 13:33 |
| RoyK | xnox: that only depends on how you see it. the illumos zfs implementation has replaced versioning with feature tags or something, and those changes are likely to be ported to fbsd | 13:34 |
| RoyK | but then, if you start out with Oracle ZFS being the only true implementation, then of course, illumos' ZFS implementation will be "obsolete", but then, that's only if trying to move a dataset from Oracle Solaris 11 or later | 13:35 |
| RoyK | meaning move the physical disks around, or try to install illumos on a previous s11 system | 13:35 |
| xnox | true. | 13:37 |
| xnox | TBH the future looks glum: both ZFS author and Btrfs authors left Oracle. | 13:37 |
| xnox | so... I wonder if they have FS devs left working on these or not. | 13:37 |
| uvirtbot | New bug: #960350 in keystone (main) "Cleanup Keystone package descriptions" [Undecided,New] https://launchpad.net/bugs/960350 | 13:41 |
| hallyn | stgraber: notice you marked the api as done. what did you still need from me to code for it? do you plan to stick it into the package soon-ish, or wait for more upstream confirmation? | 13:52 |
| hallyn | for that matter i suppose i can toss it into my github tree to 'formally' ask for review from dlezcano :) | 13:53 |
| stgraber | hallyn: yeah, I marked it as done as it looked liked most of the hard work was done, now it's really just catching up with the C library whenever new features are added, but that's quite easy to do on my side | 13:53 |
| hallyn | stgraber: (doing +1 maint at least through next week, so not much time) can you send an email reminding me what you need me to code? | 13:54 |
| stgraber | hallyn: as I mentioned on Friday, there are quite a few functions that I'll need for some tools using the API, so there's still quite a bit of work to do on the C side of the API | 13:54 |
| stgraber | hallyn: ok, I'll send you an e-mail | 13:54 |
| hallyn | stgraber: thanks | 13:54 |
| stgraber | hallyn: also, do you have any opinion on allowing shmmin/shmax (or whatever they're spelled these days) | 13:55 |
| stgraber | hallyn: I've noticed quite a few people hitting that problem on the lxc mailing-lists (trying to raise the limit and failing because of apparmor) | 13:56 |
| hallyn | stgraber: what do we need to do to help those people? | 13:57 |
| hallyn | do they need a new policy? | 13:57 |
| hallyn | we can try adding a 'lxc.ipc.shmin' config option | 13:57 |
| stgraber | hallyn: I think just allowing write access in apparmor, if these are indeed safe | 13:58 |
| hallyn | stgraber: <shrug> that's more susceptible to DOS of course | 14:01 |
| hallyn | the lxc.conf file is owned by host owner, whereas if we allow the container to write to the sysctl files, we're trusting the container owner | 14:02 |
| hallyn | but oh well, priorities :) | 14:02 |
| hallyn | stgraber: so we should start considering how to ship helpful bits of policy | 14:02 |
| hallyn | stgraber: i wonder if we can use various abstractions/lxc/* bits that can be combined in per-container policies | 14:03 |
| hallyn | /etc/apparmor.d/abstractions/lxc/{nested,ipcshm,...} | 14:04 |
| stgraber | hallyn: what would be the risk of DOS here? As I understand it /proc/sys/kernel/shm* are tied to the IPC namespace so changing these values shouldn't affect anything outside the container | 14:04 |
| hallyn | stgraber: well they can set shmmax to host-max and fill it up... | 14:05 |
| hallyn | that's just tied to a tmpfs mounted on /dev/shm right? | 14:05 |
| hallyn | so worst case they can fill up a tmpfs, but that *can* affect the host | 14:06 |
| stgraber | hallyn: right, but they can already fill the tmpfs at the moment, so I don't see how that's making things any worse | 14:06 |
| === Gorfi is now known as EA1GIY | ||
| zul | stgraber/hallyn: is there examples of how to use the api stuff? | 14:12 |
| stgraber | zul: There are a bunch of binaries to show how the C api works and an example python script in python3-lxc | 14:12 |
| hallyn | stgraber: agreed, def not worth the time to code a new config at the moment. what do you think about /etc/apaprmor.d/abstractions/lxc/ pre-filled with some useful policy bits? | 14:13 |
| hallyn | zul: download stgraber's source tree or packages from ppa | 14:13 |
| hallyn | examples | 14:13 |
| stgraber | hallyn: that's pretty much what we have already no? | 14:13 |
| stgraber | stgraber@castiana:~$ ls /etc/apparmor.d/abstractions/lxc* | 14:13 |
| stgraber | /etc/apparmor.d/abstractions/lxc-container-default | 14:13 |
| stgraber | /etc/apparmor.d/abstractions/lxc-start-container | 14:13 |
| stgraber | hallyn: though for shm I'd just allow it for everyone as it's not making things any worse. The real problem here is tmpfs. | 14:14 |
| zul | stgraber: is the source available somewhere? | 14:15 |
| hallyn | stgraber: i think we should not pollute /etc/apparmor.d/abstractions as much, | 14:15 |
| hallyn | stgraber: and document :) but that's for later. do you want to queue up the policy change when you get a chance, or should i? | 14:16 |
| stgraber | zul: ppa:stgraber/experimental the branch is lp:~ubuntu-lxc/ubuntu/quantal/lxc-api-and-python (tends to be rebased fairly often, so --overwrite is usually required) | 14:16 |
| stgraber | hallyn: I'll prepare the policy change and move things under abstractions/lxc/, I'll also add the policy change to the next SRU and get that uploaded (6 changes are way enough for one SRU) | 14:17 |
| hallyn | stgraber: :) | 14:17 |
| RoyK | xnox: there was only one btrfs guy in Oracle, Chris Mason, and he has said he'll keep up his work with btrfs http://www.muktware.com/3678/btrfs-creator-chris-mason-leaves-oracle | 14:37 |
| xnox | or he will disappear with internal work in the new workplace due to copyright assignment. | 14:37 |
| hallyn | dude. i hadn't heard he was leaving | 14:38 |
| hallyn | or, i guess, had left :) | 14:39 |
| RoyK | xnox: he'll be working with storage in his new job as well, and according to the people in #btrfs, there doesn't seem to have been much change | 14:39 |
| RoyK | xnox: there are other developers too, you know ;) | 14:39 |
| === zyga is now known as zyga-afk | ||
| === zyga-afk is now known as zyga | ||
| melodie_ | hi | 14:59 |
| RoyK | ho | 14:59 |
| melodie_ | I am not sure wether here is relevant for this question : there is a package "chkconfig" in Precise, it is obsoleted by the use of Upstart Jobs. what to do ? | 15:00 |
| patdk-wk | not so much as obsoleted, as it was never recommended | 15:01 |
| patdk-wk | it is just there to let rhel/centos people have an easier time | 15:01 |
| ScottK | patdk-wk: It actively doesn't work now though. | 15:02 |
| patdk-wk | oh? heh :) | 15:02 |
| melodie_ | this version has nothing to do with the one provide by rhel or fedora and it has a bug | 15:02 |
| ScottK | But there are a number of packages that do something useful in Debian, but not Ubuntu and generally we just ignore them. | 15:02 |
| melodie_ | patdk-wk, it asks for /sbin/insserv which is not there but in the /lib tree directory | 15:02 |
| ScottK | Trying to maintain a large blacklist of such packages isn't a cost effective use of engineer's time. | 15:03 |
| melodie_ | ScottK, why not clean out the repos from unsuseful packages to make it easier to find the ones that are useful ? | 15:03 |
| ScottK | melodie_: Don't bother trying to figure out how to fix it. It won't work. | 15:03 |
| patdk-wk | ya, sounds like it's limited to init.d, not upstart | 15:03 |
| ScottK | Precisely. | 15:03 |
| melodie_ | ScottK, sure, I have tried : I created a symlink to see what and the shell insulted me verbosely telling me that it was the Upstart Job work | 15:04 |
| ScottK | melodie_: Historically sync blacklist maintenance has been a lot of work. | 15:04 |
| ScottK | Some recent changes might have made it more scalable. | 15:04 |
| ScottK | Let me ask about it. | 15:04 |
| melodie_ | yes, for sure ! | 15:04 |
| melodie_ | I would be very happy to bring a contribution even small by pointing to such details | 15:05 |
| ScottK | I've asked for advice on the matter. | 15:07 |
| melodie_ | ScottK, thanks, I'll stay connected here for a moment, incase you get an answer before this evening | 15:16 |
| ScottK | melodie_: I'll remove it for the next release (quantal). After an Ubuntu release packages are never removed (except for legal reasons and I only rember that happening once). | 15:19 |
| melodie_ | ScottK, that is very good ! Is there a place where it is especially relevant to go, in order to point to such obsolete packages that could be removed for a next release of the distro ? | 15:21 |
| ScottK | File a bug against the package and subscribe the ubuntu-archive team to the bug. | 15:21 |
| melodie_ | ScottK, ok, I look | 15:22 |
| ScottK | melodie_: Have a look at the top entry in https://launchpad.net/ubuntu/+source/chkconfig/+publishinghistory | 15:25 |
| FunnyLookinHat | Is anyone aware of plans to get php5.4 into 12.04 - or will it wait for 12.10 ? | 15:26 |
| melodie_ | ScottK, thanks for the pointer | 15:26 |
| melodie_ | the link... | 15:26 |
| ScottK | You're welcome. | 15:27 |
| ScottK | FunnyLookinHat: 12.10. | 15:27 |
| stgraber | jjohansen: ping | 15:27 |
| jjohansen | stgraber: hey | 15:28 |
| stgraber | jjohansen: hey there, so I'm looking at blocking access to /proc/sys/kernel/* except for shm*. I tried "deny @{PROC}/sys/kernel/[^shm]* wklx," but that doesn't seem to work :) what am I missing? | 15:28 |
| stgraber | where "not working" shows up as everything being writable | 15:29 |
| jjohansen | stgraber: hrmm, that should block several things | 15:30 |
| melodie_ | ScottK, ok got it, so I think I don't need to file a bug report ? | 15:30 |
| ScottK | melodie_: Not for this one. | 15:31 |
| stgraber | jjohansen: our previous rule was "deny @{PROC}/sys/kernel/** wklx," which works great, except that it doesn't allow shm* and that's causing problems to some users | 15:31 |
| jjohansen | stgraber: you are looking more for @{PROC}/sys/kernel/[^s][^h][^m]* wklx, | 15:32 |
| stgraber | jjohansen: gah, indeed I am... :) | 15:32 |
| melodie_ | ScottK, all right ! you are a very efficient server manager ! thanks | 15:32 |
| stgraber | jjohansen: and my test file started with "m", explaining why it was allowed :) | 15:32 |
| melodie_ | going now | 15:33 |
| ScottK | Imagine how efficient I would be if I was getting paid to do this. ;-) | 15:33 |
| melodie_ | bye | 15:33 |
| melodie_ | ScottK, same here | 15:33 |
| jjohansen | stgraber: lmk if that doesn't work and I'll dig into the compiled expression | 15:33 |
| melodie_ | I have done remasters for pclinuxos for 3 years, now they have gone mad I'll continue with Ubuntu | 15:33 |
| melodie_ | :D | 15:33 |
| melodie_ | ++ | 15:33 |
| melodie_ | :) | 15:34 |
| stgraber | jjohansen: looks like it's working. I ended up going with: | 15:38 |
| stgraber | deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, | 15:38 |
| stgraber | deny @{PROC}/sys/kernel/*/** wklx, | 15:38 |
| stgraber | jjohansen: as for some reason "deny @{PROC}/sys/kernel/[^s][^h][^m]**" doesn't work and neither would "deny @{PROC}/sys/kernel/[^s][^h][^m]*/**" | 15:38 |
| jjohansen | stgraber: hrmm, I'll look into that, can you paste me the whole policy so I can be sure I don't have any differences to what you are trying | 15:40 |
| stgraber | jjohansen: http://paste.ubuntu.com/1076605/ | 15:41 |
| jjohansen | stgraber: okay, thanks | 15:42 |
| jjohansen | stgraber: oh can you also pastebin me the test paths that where failing | 15:43 |
| stgraber | jjohansen: I tested with /proc/sys/kernel/shmmax (should be writable), /proc/sys/kernel/modprobe (shouldn't be writable) and /proc//sys/kernel/yama/ptrace_scope (shouldn't be writable) | 15:45 |
| jjohansen | stgraber: thanks | 15:46 |
| === dendrobates is now known as dendro-afk | ||
| kees | stgraber: are you running that container without cap_sys_admin? | 15:56 |
| stgraber | kees: nope, the container has cap_sys_admin | 15:56 |
| === matsubara-afk is now known as matsubara | ||
| === Lcawte|Away is now known as Lcawte | ||
| stgraber | hallyn: tested the apparmor changes, everything looks good so uploading these to quantal, will then rebase lxc-api-and-python on that and will prepare the SRU | 16:03 |
| stgraber | hallyn: changes that will make it to that SRU: http://paste.ubuntu.com/1076669/ | 16:24 |
| hallyn | SpamapS: the proposed SRu fix for bug 989354 was incomplete. To push the complete fix, I assume I need to use a new version # on top of the previous? | 16:25 |
| uvirtbot | Launchpad bug 989354 in cgroup-lite "cgroup-lite and separated /usr " [Critical,Confirmed] https://launchpad.net/bugs/989354 | 16:25 |
| hallyn | stgraber: hm. the dhclient one - that will continue to actually send its hostname then? | 16:26 |
| hallyn | ok yeah that sounds good | 16:26 |
| hallyn | (want to make sure that 'ssh containername.' will continue to work) | 16:27 |
| stgraber | hallyn: yeah | 16:27 |
| hallyn | stgraber: list looks good. odd that the LP#s are XX'd out | 16:27 |
| stgraber | hallyn: these are place holders, I need to file these bugs :) | 16:27 |
| stgraber | for the dhclient stuff, lxc-ubuntu didn't have the mangling of dhclient.conf and AFAIK it works fine, it's only lxc-clone that was doing that sed call | 16:28 |
| hallyn | oh, right, makes sense | 16:29 |
| BinaryMaster | Question: I am following the instructions on http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html to install openLdap however /etc/ldap/schema is empty | 16:59 |
| BinaryMaster | any way to get a copy of the ldif files that should be there? | 17:00 |
| hallyn | SpamapS: I've uploaded a new (complete) fix to precise-proposed for bug 989354, fwiw | 17:12 |
| uvirtbot | Launchpad bug 989354 in cgroup-lite "cgroup-lite and separated /usr " [Undecided,Fix committed] https://launchpad.net/bugs/989354 | 17:12 |
| BinaryMaster | ldapadd: invalid format (line 12) entry: "olcDatabase=hdb,cn=config" anyone know what this error means? | 17:15 |
| SpamapS | hallyn: I won't likely look at SRU's until next Wednesday | 17:21 |
| hallyn | SpamapS: ok | 17:21 |
| === cpg|away is now known as cpg | ||
| uvirtbot | New bug: #1021411 in lxc (universe) "LXC should allow writting to /proc/sys/kernel/shm* as they are covered by the IPC namespace" [Wishlist,In progress] https://launchpad.net/bugs/1021411 | 18:06 |
| uvirtbot | New bug: #1021416 in lxc (universe) "lxc-clone shouldn't be messing with dhclient.conf, causes conffile upgrade prompts on quantal" [Medium,In progress] https://launchpad.net/bugs/1021416 | 18:11 |
| uvirtbot | New bug: #1021418 in orchestra (main) "Replace python-software-properties Depends with 'software-properties-common'" [Undecided,Won't fix] https://launchpad.net/bugs/1021418 | 18:11 |
| === cpg is now known as cpg|away | ||
| uvirtbot | New bug: #1021421 in lxc (universe) "Allow fstype=fuse.*, for all containers" [Wishlist,In progress] https://launchpad.net/bugs/1021421 | 18:16 |
| koolhead17 | hello all | 18:19 |
| === zyga is now known as zyga-afk | ||
| === cpg|away is now known as cpg | ||
| stgraber | hallyn: debdiff for lxc sru: http://paste.ubuntu.com/1076870/ | 18:26 |
| uvirtbot | New bug: #1021428 in lxc (universe) "dh_apparmor runs against all binary packages, adding useless entries to lxc-dev's postinst/postrm" [Low,In progress] https://launchpad.net/bugs/1021428 | 18:26 |
| uvirtbot | New bug: #1021429 in lxc (universe) "lxc-list should show frozen containers" [Medium,In progress] https://launchpad.net/bugs/1021429 | 18:31 |
| === dendro-afk is now known as dendrobates | ||
| stgraber | hallyn: uploaded | 18:41 |
| hallyn | stgraber: (hm, jjohansen isn't on, was trying to ping him as well) i don't like the way we're having to do blacklists | 18:42 |
| hallyn | the @PROC/sys/ctl/[^s}[^h][^m] type stuff | 18:43 |
| hallyn | since jjohansen was asking for policy language improvements, here's something that coudl be made much better | 18:44 |
| stgraber | hallyn: oh yeah, that'd help a lot. Whitelisting single files is really a pain at the moment | 18:45 |
| Daviey | hallyn: If i wanted to create a tarball image for lxc usage, and inject it into lxc.. What would i do? | 18:47 |
| hallyn | Daviey: well you can just cp it to /var/lib/lxc/<container>/rootfs which is what i usually do | 18:48 |
| hallyn | Daviey: utlemming can probably tell you how to use cloud-init-files for it, using the lxc-ubuntu-cloud ubuntu template | 18:48 |
| hallyn | is this for use from juju, or something else? | 18:49 |
| hallyn | see lxc-create -t ubuntu -h | 18:49 |
| hallyn | sorry | 18:49 |
| hallyn | lxc-create -t ubuntu-cloud -h | 18:49 |
| hallyn | hm | 18:50 |
| utlemming | ubuntu-cloud lxc allows for user data...so concievably you could wget it via userdata | 18:50 |
| hallyn | yeah, i thought there was an option to pass in user-data (not script), but there's not | 18:50 |
| utlemming | it would be a pretty easy patch to allow for tarball injection | 18:50 |
| hallyn | so, what utlemming said | 18:50 |
| Daviey | So why do we have ubuntu and ubuntu-cloud? | 18:50 |
| hallyn | Daviey: is wget from user-data script feasible for you? | 18:50 |
| Daviey | shouldn't ubuntu-cloud become ubuntu? | 18:50 |
| Daviey | hallyn: what for? | 18:51 |
| hallyn | Daviey: what for what? you said you wanted to pass a tarball image into lxc. | 18:52 |
| hallyn | Daviey: so is creating a lxc-ubuntu-cloud container, passing in a user-data script, and wgetting your tarball from that script, sufficient for what you need? | 18:53 |
| hallyn | Daviey: i'm mostly ok with ubuntu-cloud becoming ubuntu, although ubuntu still has a few extra features (I think), and I sort of prefer to depend on debootstrap existing, than on the cloud images always being published. | 18:54 |
| hallyn | always being published in a way i can reliably consume | 18:54 |
| Daviey | hmm, interesting | 18:54 |
| hallyn | plus, i like the fact that i can debootstrap from apt-cacher-ng mirror, which has gotten populated just by apt-get dist-upgrade on the host, as opposed to a completely separate d/l of 200M | 18:54 |
| hallyn | still, you may be right | 18:55 |
| stgraber | FWIW I clearly prefer lxc-ubuntu to lxc-ubuntu-cloud, having a local mirror I can usually build a new template in a matter of seconds and without relying on Canonical's network working properly | 18:59 |
| hallyn | jjohansen: we were just talking about you. | 19:00 |
| jjohansen | hallyn: hrmmm, sorry I missed it, my vpn had some issues | 19:01 |
| hallyn | jjohansen: if you take a quick look at for instance /etc/apparmor.d/lxc/lxc-default at bottom, | 19:02 |
| jjohansen | hallyn: in quantal? | 19:03 |
| hallyn | jjohansen: and in http://paste.ubuntu.com/1076870/ stgraber had to add another deny entry " | 19:03 |
| hallyn | + deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, | 19:03 |
| hallyn | jjohansen: or precise i think | 19:03 |
| hallyn | jjohansen: the point is that trying to whitelist a few files is cumbersome and almost guaranteed to have errors over time | 19:03 |
| hallyn | jjohansen: if there was a way we could have a userspace parser generate stuff liek that for us, | 19:04 |
| hallyn | so we could say "deny everything under /proc/sys/kernel except /shm" | 19:04 |
| jjohansen | hallyn: yes, its a big problem currently. There are some extension to make expressing things like that much easier on the roadmap but I doubt I will get to them this cycle | 19:05 |
| === cpg is now known as cpg|away | ||
| === cpg|away is now known as cpg | ||
| BinaryMaster | trying to compile from source and getting this error on ./configure configure: error: Unable to locate cc(1) or suitable replacement. Check PATH or set CC. | 19:07 |
| jjohansen | hallyn: I can poke and see about rearranging some priorities | 19:09 |
| hallyn | jjohansen: ok, i only mentioned it bc you had recently asked if there were any policy language improvements we could think of :) | 19:09 |
| hallyn | jjohansen: thanks, i think it's in important one | 19:09 |
| jjohansen | hallyn: yep, thanks keep them coming | 19:09 |
| === cpg is now known as cpg|away | ||
| === cpg|away is now known as cpg | ||
| sbeattie | Daviey: is your team planning a quantal nova upload anytime soon? | 19:23 |
| adam_g | sbeattie: zul and i were just discussing. upstream has introduced (last week) a new build-depends that is going to need to go through MIR :| | 19:27 |
| zul | sbeattie: yeah i plan one tomorrow | 19:28 |
| zul | adam_g: i plan to revert the setuptools-git for tomorrow and then plan to re-add it after the upload | 19:29 |
| sbeattie | zul, adam_g: okay, cool. I'm looking to get CVE-2012-3360 and 3361 (aka bug 1015531) taken care of in quantal. | 19:29 |
| uvirtbot | Launchpad bug 1015531 in nova/essex "Remote arbitrary file corruption / creation flaw via injected files" [Critical,In progress] https://launchpad.net/bugs/1015531 | 19:29 |
| uvirtbot | sbeattie: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3360) | 19:29 |
| zul | sbeattie: it should aleady be in trunk right? | 19:29 |
| Daviey | sbeattie: no, not short term | 19:30 |
| BinaryMaster | has anyone here successfully installed openLdap on Ubuntu Server 12.04 ? | 19:30 |
| koolhead17 | !openldap | 19:31 |
| koolhead17 | !ldap | 19:31 |
| sbeattie | zul: yes, should be in trunk. | 19:31 |
| ubottu | LDAP is the Lightweight Directory Access Protocol. For more information, installation instructions and getting clients to authenticate via LDAP see https://help.ubuntu.com/community/OpenLDAPServer | 19:31 |
| zul | sbeattie: should be in upload for tomorrow then | 19:31 |
| sbeattie | zul: awesome, thanks. | 19:31 |
| Daviey | zul: Folsom-2 on target for tomorrow? | 19:32 |
| koolhead17 | BinaryMaster, check the server guide i installed it at one go with previous release | 19:32 |
| zul | Daviey: we should be ready | 19:32 |
| adam_g | zul: how are we going to deal with setuptools-git ? | 19:33 |
| zul | Daviey: its been released already | 19:33 |
| Daviey | sbeattie: Bah, sorry.. i missparsed your question.. | 19:33 |
| BinaryMaster | yeah the new version is driving me nuts | 19:33 |
| Daviey | zul: did you re-upload setuptools-git? | 19:34 |
| BinaryMaster | it uses rtc configuration | 19:34 |
| zul | adam_g: well either fix the debian/copyright and get it uploaded today and a rush MIR or back it out | 19:34 |
| zul | Daviey: about to | 19:34 |
| Daviey | zul: If you upload it shortly, i'll review it.. and see if we can get speedy MIR'ing.. If not, back out the changeset. | 19:34 |
| zul | Daviey: ack | 19:34 |
| * koolhead17 pokes adam_g & zul | 19:35 | |
| zul | Daviey: ok setuptools-git uploaded with fixed debian/copyright | 19:37 |
| Daviey | ta | 19:38 |
| RichardRaseley | So, I am interested in setting up an OpenStack environment using JuJu and MaaS (as outlined here https://help.ubuntu.com/community/UbuntuCloudInfrastructure), but I only have 5 nodes to work with. Is it possible for me to co-locate some of the services but still use juju to do the deployment? Like if I wanted 1x for mass / juju 1x mysql, rabbitmq, keystone, horizon, and 3x nova nodes... | 19:45 |
| koolhead17 | RichardRaseley, every service will run on separate instance/node | 19:49 |
| RichardRaseley | koolhead17: That is too bad that juju is limited in that way - looks like I will have to do it manually. | 19:50 |
| RichardRaseley | Thanks. | 19:51 |
| blackhand0321 | its not so hard if you are using vm's | 19:51 |
| koolhead17 | RichardRaseley, its not bad, that is how its designed. juju works with service :) | 19:52 |
| koolhead17 | SpamapS, correct me if am wrong here siir. | 19:52 |
| RichardRaseley | koolhead17: Well, it is bad in this situation because it can't do what I'd like it to do. | 19:52 |
| Daviey | zul: did it have a watch file last time? | 19:52 |
| zul | Daviey: nope | 19:52 |
| Daviey | zul: ga dammit.. can you add a watch and get-orig-source please? | 19:53 |
| zul | Daviey: *sigh* sure | 19:53 |
| koolhead17 | RichardRaseley, try with one less nova compute, it will still work | 19:53 |
| blackhand0321 | he left.. | 19:54 |
| koolhead17 | blackhand0321, :( | 19:55 |
| SpamapS | darn he left too fast | 19:55 |
| SpamapS | koolhead17: there is a way to do it w/ less than 10 nodes | 19:55 |
| blackhand0321 | I had a dev platform setup this morning running with 3 nodes | 19:56 |
| koolhead17 | SpamapS, is there a blog/doc for that way around? It be cool | 19:56 |
| koolhead17 | blackhand0321, you used Juju? | 19:56 |
| blackhand0321 | yes | 19:56 |
| SpamapS | no | 19:56 |
| SpamapS | koolhead17: its a huge hack | 19:56 |
| koolhead17 | SpamapS, oooh | 19:57 |
| koolhead17 | blackhand0321, i have single machine setup without juju though | 19:57 |
| blackhand0321 | https://wiki.ubuntu.com/SecurityTeam/TestingMAAS | 19:57 |
| koolhead17 | SpamapS, we have so many docs available so many places :) | 19:58 |
| SpamapS | koolhead17: yes, this is not something we want to document.. we need to fix it | 19:58 |
| blackhand0321 | I agree with the fix logic but just was noting it was possible | 19:59 |
| koolhead17 | SpamapS, so we can run more than one service on a single VM | 19:59 |
| SpamapS | koolhead17: well for VMs I suggest sizing them properly for one service. But for real machines, yes. | 20:00 |
| Daviey | zul: can be added later, but is there a reason not to have a py3 package? | 20:00 |
| zul | Daviey: i didnt think of it | 20:00 |
| koolhead17 | SpamapS, okey | 20:03 |
| zul | Daviey: ok uploaded | 20:04 |
| === dendrobates is now known as dendro-afk | ||
| === dendro-afk is now known as dendrobates | ||
| hallyn | stgraber: did you see the email to lxc-devel with subject "set shmmax for container in lxc-execute" | 20:22 |
| stgraber | hallyn: yeah, I guess I should reply that it's going to be fixed by an SRU :) | 20:23 |
| hallyn | stgraber: cool thanks :) | 20:23 |
| === cpg is now known as cpg|away | ||
| === Aaton_off is now known as Aaton | ||
| === matsubara is now known as matsubara-afk | ||
| === zyga_ is now known as zyga | ||
| === cpg|away is now known as cpg | ||
| === cpg is now known as cpg|away | ||
| Daviey | roaksoax: Can you triage bug 1021488 please? | 21:33 |
| uvirtbot | Launchpad bug 1021488 in orchestra-modules "Please remove orchestra from Ubuntu" [Undecided,New] https://launchpad.net/bugs/1021488 | 21:33 |
| roaksoax | Daviey: done! | 21:34 |
| roaksoax | Daviey: should I subscribe to archive admins? | 21:35 |
| === MattJ100 is now known as MattJ | ||
| Daviey | roaksoax: sure | 21:35 |
| === MattJ is now known as Guest89758 | ||
| Daviey | roaksoax: I'm about to do the AA bit, but i wanted a fellow developer to sign it off first. | 21:35 |
| roaksoax | Daviey: ;) | 21:37 |
| roaksoax | RIP Orchestra | 21:37 |
| Daviey | roaksoax: and.. it's gone | 21:40 |
| Daviey | roaksoax: feel a bit nostalgic | 21:40 |
| Daviey | :) | 21:40 |
| roaksoax | Daviey: hahaha nah.... I barely remembered it existed after so much work on maas | 21:42 |
| roaksoax | s/Orchestra/MAAS in myt head | 21:42 |
| roaksoax | lol | 21:42 |
| Daviey | :) | 21:43 |
| Daviey | roaksoax: I don't want to break the news to fwereade. | 21:44 |
| roaksoax | Daviey: hehe!! I cna do it | 21:44 |
| roaksoax | :) | 21:44 |
| === cpg|away is now known as cpg | ||
| smw_ | Hi guys. For some reason my server mounted the root as readonly on restart | 22:06 |
| smw_ | how can I get log data? | 22:06 |
| genii-around | mount -o remount,rw / | 22:07 |
| === cpg is now known as cpg|away | ||
| smw_ | mount: cannot remount block device /dev/mapper/venice-root read-write, is write-protected | 22:08 |
| smw_ | anyone know why that error would occur? | 22:09 |
| Patrickdk | sounds self explanitory to me | 22:09 |
| Patrickdk | someone write-protected it :) | 22:09 |
| smw_ | Patrickdk, what does that mean? | 22:09 |
| smw_ | Is that a hardware (such as raid controller) limitation? | 22:10 |
| smw_ | write protected by what? | 22:10 |
| Patrickdk | I don't know, I don't own your server | 22:10 |
| smw_ | any way to dig deeper? What are examples that would cause such an error? | 22:10 |
| === dendrobates is now known as dendro-afk | ||
| Patrickdk | clicking write protect on a floppy disk, using a cdrom, ... | 22:11 |
| Patrickdk | if your using hardware raid, sounds like it's freaking out, so you should check it | 22:11 |
| === dendro-afk is now known as dendrobates | ||
| genii-around | Probably want to do a fsck then reboot | 22:14 |
| fwereade | Daviey: heh, consider the news broken; and my phlegmatic and dignified aspect to be the envy of all | 22:15 |
| Daviey | fwereade: Very noble! | 22:15 |
| smw_ | Patrickdk, that is my guess truthfully | 22:17 |
| asby | smw_, for protection ext3 can mount itself read only to prevent data loss. Try a forced fsck and reboot. | 22:23 |
| asby | If not helping check disk, raid, san, whatever you use to mount your root filesystem from. | 22:24 |
| smw_ | asby, I rebooted without fscking already | 22:25 |
| smw_ | need to wait about 40 min for it to come back up | 22:25 |
| smw_ | I will fsck it next chance I get | 22:25 |
| smw_ | thank god this is the dev/stage server... | 22:26 |
| smw_ | It is causing a great amount of annoyance... but not a catastrophe | 22:26 |
| asby | Tell me about annoyance. I have a server, with a fresh (and updated) install of 12.04 and the system will only reboot when I use a power cycle. Anything else (shutdown -r now/shutdown -h + power on) ends in hanging after init-bottom script. | 22:28 |
| smw_ | asby, did fsck (damn that reboot was quick) | 22:30 |
| smw_ | /dev/mapper/venice-root: recovering journal | 22:30 |
| smw_ | fsck.ext4: Bad magic number in super-block while trying to re-open /dev/mapper/venice-root | 22:30 |
| smw_ | e2fsck: io manager magic bad! | 22:30 |
| smw_ | asby, and when I say I did an fsck... I really mean fsck looked at it and threw up its hands | 22:30 |
| asby | problem with superblock or hardware related? | 22:32 |
| smw_ | asby, no idea | 22:33 |
| smw_ | this makes it look like the superblock | 22:33 |
| asby | try a dumpe2fs /dev/mapper/venice-root | grep superblock | 22:33 |
| asby | superblock is stored on multiple places in ext2/ext3. Don't know about ext4 though | 22:34 |
| smw_ | wonderful... | 22:34 |
| smw_ | fsck unmounted / | 22:34 |
| smw_ | no sudoers file... looking for the root password to see if / is remountable | 22:36 |
| asby | You can try this procedure: http://www.cyberciti.biz/faq/recover-bad-superblock-from-corrupted-partition/ | 22:38 |
| smw_ | asby, nice | 22:39 |
| asby | Although it also could be hardware related. In that case I hope you have hardware support and a good backup/restore procedure ;) | 22:39 |
| smw_ | asby, I am newly in charge of making such things (worked here a month, this server has been running for years) | 22:42 |
| smw_ | time to call the isp and get the server rebooted | 22:42 |
| asby | smw_, goodluck with it, it is bedtime here, so ttyl | 22:48 |
| smw_ | bye, thanks for your help | 22:50 |
| === arosales1 is now known as arosales | ||
| smw_ | what do people here use for monitoring? | 22:57 |
| smw_ | I like I am thinking of installing nagios | 22:57 |
| === Lcawte is now known as Lcawte|Away | ||
| qhartman | It looks like the apt repo for us-west-1 for ec2 is having issues. Is this just me or is there something legitimately amiss? | 23:50 |
| qhartman | hm, seems to be fixed already. Was getting a 403 on one of the files that "apt-get update" was trying to pull. | 23:54 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!
