/srv/irclogs.ubuntu.com/2012/08/23/#ubuntu-server.txt

=== nick is now known as Guest8685
darthanubiswould ltsp questions be considered server related?00:34
RoyKmost certainly00:38
RoyKthere's an #ltsp channel dedicated for it, though00:39
darthanubisRoyK, I'm in that channel as well, but it's kinda dead.00:41
RoyKsome people in here might be able to help00:41
RoyK!ask | darthanubis00:41
ubottudarthanubis: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience00:41
* RoyK has been trying to fix his bicycle for some hours and needs sleep00:42
RoyKnite00:42
darthanubisfailed to load session "ubuntu" is what I get from my thin client00:43
darthanubisGoogle has not been much help as of yet00:44
RoyKprobably not the best time to ask in here - people will wake up in Europe in 4-5 hours00:44
* RoyK should have been sleeping some time ago00:44
* patdk-lap wonders if royk dreams of digital sheep01:05
ae0000i just logged into one of my servers and entered "sudo su" and it logged me in as root straight away... is that suspect? i had not performed any other sudo operations before that, it was literally just after sshing in01:11
ae0000another server running similar setup asked me for passowrd in the same situation01:11
Psi-Jackae0000: Yeah, that's highly suspect, if you are not logging in to root.01:18
Psi-JackIf you ARE logging in to root, and sudo su, (which you should stop that immediately! sudo -i!)  then it's obviously going to work. you already are root.01:18
ae0000its ok - i'm just deranged... i was logged in from another terminal :)01:19
Psi-JackDifferent sessions are still different sessions.01:20
Psi-JackEach session is cached individually.01:20
ae0000hmmm01:21
ae0000then thats still suspect01:21
ae0000scan for rootkits?01:21
Psi-JackI definitely would be wary.01:23
Psi-JackI just double verified it, logged in as a user from two completely different ssh sessions, and confirmed, sudo is cached per-session on Ubuntu 12.0401:23
Psi-JackAnd 10.0401:23
ae0000ok .. thanks for the heads up... this is 10.10....01:25
ae0000ok i have tested this... and it remembers sudo access from the same terminal even after logging out and logging in again01:39
ae0000so.. fresh ssh login, sudo su [asks for password], exit, ssh login, sudo su [DOES NOT ask for password]01:40
ae0000panic averted :)01:40
ae0000rkhunter is happy as well01:40
aarcaneI'm running iscsi target (targetcli) on my ubuntu server (12.04).  I'm trying to figure out how to enable trim support.  my underlying device supports trim, and my OS atop the iSCSI volume.  I'm not certain about the initiator or the target though.  I want to ensure it's active or enabled in lio.02:03
RoyKpatdk-wk: Now the world has gone to bed, Darkness won't engulf my head, I can see by infra-red, How I hate the night02:03
RoyKNow I lay me down to sleep, Try to count electric sheep, Sweet dream wishes you can keep, How I hate the night ,02:03
Davieyroaksoax: still around?02:08
=== n0ts_off is now known as n0ts
maxagazI did everyting to have mod_rewrite, but it seems not to be working04:33
maxagazhow can I check it ?04:33
qman__maxagaz, sudo a2enmod rewrite; sudo service apache2 restart04:39
maxagazqman__: I did  that already04:39
qman__that's all there is to it04:41
qman__you can verify by checking to make sure the files are there04:41
qman__you should have two files, /etc/apache2/modules.enabled/rewrite.load and /usr/lib/apache2/modules/mod_rewrite.so04:42
qman__/etc/apache2/modules.enabled/rewrite.load loads the module, and /etc/apache2/apache2.conf loads the .load file04:44
blackshirthelllo07:15
blackshirtI have try to login from squirrelmail using virtual user created with ldaputils scripts07:15
blackshirtbut the mail.err log says : dovecot: imap(hayate): Error: user hayate: Initialization failed: Namespace '': mkdir(/home/hayate/Maildir) failed: Permission denied (euid=8(mail) egid=8(mail) missing +w perm: /home, dir owned by 0:0 mode=0755)07:16
blackshirtanyone here can help me ?07:16
freakynlhi, anyone know how to get kernels from the list (dpkg -l linux*)? They're already removed but remain in the list (seemingly for ever)07:52
rbasakfreakynl: use dpkg -P (for purge). But make sure you don't purge any kernels that you might want to use, such as the one in use!08:01
freakynlrbasak: thx but doesn't work says it's not installed08:06
=== n0ts is now known as n0ts_off
freakynlrbasak: http://pastebin.ca/219753008:07
=== kedare is now known as Guest10697
=== n0ts_off is now known as n0ts
=== Guest68144 is now known as wordpress
=== wordpress is now known as ikonia
=== Xtrapni is now known as trapni
progre55hi guys. I have a remote server with nfs installed on it. it has been running for only 15 days now, but leaking memory. Total server memory is 590Mb, and top/htop show 546Mb used memory. However, there are no processes in the process list that are using any considerable amount. How can I track what process could be leaking?08:43
freakynlprogre55: what does free say08:47
progre55used: 581920   free: 22460    buffers: 4712    cached: 1816408:48
progre55-/+ buffers/cache:     559044      4533608:49
freakynlhmm not much in cache/buffers, if you sort by memory (M) in top you don't see anything consuming memory (many processes can add up)?08:50
progre55not really.. the highest process using up memory is bash with 1.2%08:52
melmothslabs ?08:53
progre55there are a total of 50 processes, and they each use from 0.7 to 0.1 (0.0)08:53
melmothhmm, however, i would expect slab usage to be included in the cache metric.08:54
progre55sec, let me post it08:54
progre55here is the slabtop output http://pastie.org/457328808:55
progre55what is "idr_layer_cache"?08:57
progre55let me google :)08:57
progre55well at least I'm not the only one having this problem with a fileserver http://lkml.org/lkml/2012/7/25/49509:00
henkjanwe had this problem also on 12.04 / nfs server09:01
henkjanmigrated to netapp :)09:01
progre55so does that mean we also have to migrate? any bugs open at least?09:03
henkjanin our case the slabcache eat al memory in 1,5 day and let the server OOM09:09
henkjanbad four our customers, we had no time to investigate09:09
henkjani guess its a kernel issue09:10
henkjanyou could try to upgrade to a quantal backported kernel09:10
henkjanprogre55: you can add a bug in launcpad09:18
henkjani'll click the 'affects me to' button :)09:18
progre55henkjan: I've never opened a bug report :) but let me see what I can do09:37
=== mcclurmc is now known as mcclurmc_away
=== n0ts is now known as n0ts_off
brendanddoes anyone know the meaning of 'ethtool-lite: ethtool ioctl on eth0 failed'?10:29
brendandis it significant10:32
progre55can anyone tell me what idr_layer_cache is and what can cause too many idr_layer_cache objects in the slab?10:52
progre55I'm suspecting frequent I/O might be the reason, but how come the slab is unreclaimable? /proc/meminfo shows "SUnreclaim:   494112 kB"10:55
=== cpg is now known as cpg|away
ttilleywhere might one find the scripts/software used to build the ubuntu EC2 AMI images?10:57
progre55ttilley: you can use ec2-bundle-vol from the ec2-ami-tools package, but not sure if you could bundle an AMI from a non-EC2 machine10:59
ttilleyprogre55: i'm just curious what i can learn from the build system itself10:59
ttilleythe goal being to read the code more than to build an AMI :)11:00
progre55oh I see :)11:00
progre55well try reading the ec2-bundle-vol code then :)11:00
ttilleyheh11:01
progre55ttilley: there is also an ubuntu cloud service called eucalyptus, and I remember bundling images there, too. I think the package was called euca2ools and you'd run euca-bundle-vol11:05
ttilleyisn't eucalyptus effectively deprecated in ubuntu? with the semi-recent switch to and focus on openstack?11:06
koolhead11ttilley: i think if you want Euca you have to use there PPA for recent pkgs11:18
ttilleykoolhead11: i don't want euca, but i do want to read the code for the scripts/software that's used to build the ubuntu EC2 AMI images if you know where I can find that. :)11:19
Blazemore|WorkAnyone know why nslcd can't connect to my OpenDP LDAP server, whereas other tools like lat can?11:26
Blazemore|WorkThe syntax I'm using in /etc/nslcd.conf is "uri ldaps://127.0.0.1:1636" - is that correct? it has SSL and is running on that port11:27
Psi-JackBlazemore|Work: About that ldapsearch, is that working as expected?11:27
=== mcclurmc_away is now known as mcclurmc
anotheruserHello. I'm running ubuntu 10.04 LTS on my server. I see in my access.log traces of an attack on phpmyadmin using http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-2506.html11:27
uvirtbotanotheruser: setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2506)11:27
Blazemore|WorkPsi-Jack: Well I can connect to it with lat11:27
Blazemore|WorkWhat would ldapsearch do?11:27
anotheruserMy question is this : why is a year old critical vulnerability still as "needed" for the LTS version ?11:28
anotheruserdoes that mean my server is vulnerable?11:28
Psi-Jackldapsearch is the standard openldap client tools.11:28
Psi-Jackanotheruser: File a bug report. It's off topic.11:28
anotheruserIt's not off topic11:28
anotheruseri need to determine if my server was compromised or not11:29
anotheruserand it's definitely about ubuntu11:29
Psi-JackThis channel is for people needing help, not griping like a little baby.11:29
anotheruserI need help.11:29
Psi-JackNo, you just want to whine.11:29
anotheruser-_-11:29
anotheruserI want to know if my server is compromised or not11:29
anotheruserwhich, strangely, is quite important to me11:29
anotherusercan't you understand that?11:29
patdk-lapanotheruser, that isn't even part of ubuntu, that is in universe11:29
Psi-Jackheh11:29
Blazemore|WorkPsi-Jack: I just tried using getent passwd again, and analysed using Wireshark11:29
anotheruseruniverse isn't part of ubuntu?11:30
Blazemore|WorkI can see the cert details being exchanged, so something is happening11:30
patdk-lapit's optional11:30
anotheruserit's still in ubuntu11:30
rbasakUniverse is community maintained. In this case, it looks like nobody in the community has provided a suitable patch.11:30
patdk-lapUniverse - Community maintained software, i.e. not officially supported software.11:30
Psi-JackBlazemore|Work: Sounds like nslcd is failing to actually authenticate.11:30
anotheruseri see11:30
rbasakI started from launchpad.net, searched for the CVE and got https://launchpad.net/bugs/cve/CVE-2011-2506 which took me to bug 806788.11:30
Psi-JackBlazemore|Work: Are you using simple auth, anonymous auth, or kerberos?11:30
uvirtbotLaunchpad bug 806788 in phpmyadmin "phpMyAdmin Security fixes in versions 3.3.10.2 and 3.4.3.1" [Undecided,Invalid] https://launchpad.net/bugs/80678811:30
uvirtbotrbasak: setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2506)11:30
Blazemore|WorkPsi-Jack: Do you know anything about nslcd? lat connects fine with the same server details11:31
anotheruserso basically, If i want to be safe, I shouldn't use any package from universe?11:31
patdk-lapanotheruser, or track security issues yourself11:31
Psi-JackBlazemore|Work: Yes, my entire home infrastructure, comprised of 7 physical machines and 16 virtualized servers.11:31
Psi-JackAll KerberosV5+OpenLDAP managed for authentication shared credentials.11:32
Blazemore|WorkWhy would syslog be saying http://pastebin.com/VVkHx6AG11:32
Psi-JackBecause it can't connect to the LDAP server.11:32
Psi-JackNow, are you going to run around in circles aimless, or you going to actually answer the asked question leading towards actually helping you?11:33
Blazemore|WorkSorry, I missed that. I am using anonymous auth because we just need to test our password policy config11:33
Psi-JackWorst idea ever. :)11:34
Blazemore|WorkWe're going to need to test other things on it too11:34
Psi-JackTo expose full passwords, anonymously, is the worst policy you can ever do. :)11:34
Blazemore|WorkThey're not real passwords11:34
Blazemore|WorkLike I said, it's a test environment running on a single machine11:34
Psi-JackWell, please pastebin the relevant lines in your nslcd.conf: egrep -v '^[#|\w].*' /etc/nslcd.conf11:37
Psi-JackErr,  egrep -v '^.*'11:37
Psi-JackBah..11:37
Psi-JackErr,  egrep -v '^#.*'11:37
Psi-JackSkipping commented lines. :)11:37
anotheruserpffffff... how to know if my server is compromised or not...11:38
greppyanotheruser: what makes you think it is?11:38
anotheruser"POST /phpmyadmin/index.php?session_to_unset=123&token=bc45df26a9d74ac15a05241fbc88473c&_SESSION[!bla]=%7Cxxx%711:38
anotheruserCa%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A42%3A%22%2Ftmp%2Fsess%5Fqpeaqpscd4pl0in2ifq43duskcr47hmv%22%3B%7D%7D&_SES11:38
anotheruserSION[payload]=%3C%3Fphp%20eval%28base64%5Fdecode%28%22ZWNobyAic3Q0cjciLnBocF91bmFtZSgpLiI3aDMzbmQiOw%3D%3D%22%29%29%3B%20%3F%3E HTTP/1.1"11:38
anotheruserany idea what that would do, by chance? '^^11:38
standoois it worth it to set a dns server on ubuntu or use a 3rd party dns?11:38
Blazemore|WorkPsi-Jack: http://pastebin.com/XFPJhpBT11:38
Blazemore|Workstandoo: Depends what you need to do11:38
Psi-Jackstandoo: Depends. Is it worth it to YOU?11:38
Psi-JackBlazemore|Work: So your base DN is dc=example,dc=net?11:39
greppyanotheruser: interesting... not sure :)11:39
standooBlazemore|Work: what do i need to consider?11:39
anotheruserthe base 64 decode doesn't make sense to me...11:39
Blazemore|WorkHmm Psi-Jack I'm not sure. Could I find out with lat?11:39
Psi-JackBlazemore|Work: Dude. I don't even know what the heck "lat" is.11:39
Psi-JackLOL11:40
Blazemore|WorkOhhhhH! One second!11:40
Psi-JackI use openLDAP, and openLDAP tools.11:40
Blazemore|WorkPsi-Jack: it's a graphical tool for managing LDAP11:40
Blazemore|WorkWe're on Oracle OpenDS11:40
Psi-JackAhhhh..11:40
Psi-JackSo, not actually OpenLDAP.11:40
Psi-JackI use Apache Directory Studio for my LDAP GUI interface. Eclipse-based. Very sexy. :)11:41
Blazemore|WorkPsi-Jack: It was actually com, not net, but the error is the same after changing it and doing service nslcd restart11:41
Blazemore|WorkMakes me thing "Server is unavailable" is a generic sort of error message11:42
Psi-JackOKay, So, now that you've corrected the issue of OpenLDAP vs OpenDS.. Are you running OpenDS using OpenJDK, or Oracle JDK?11:42
Blazemore|WorkOracle JDK11:42
Psi-JackGood. Won't work at all (with SSL) with openjdk.11:42
Blazemore|Workjava version "1.6.0_33"11:43
Psi-Jacktls_cacertfile /path/to/ca/cert11:43
Psi-JackAdd that to your nslcd.conf11:43
Blazemore|Worksp?11:43
Blazemore|Workcacertfile correct?11:43
Psi-JackUse the full path to your CAcert11:43
Blazemore|WorkOK11:43
anotheruser"POST /phpmyadmin/index.php?session_to_unset=123&token=bc45df26a9d74ac15a05241fbc88473c&_SESSION[!bla]=|xxx%711:44
anotheruserCa:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:42:"/tmp/sess_qpeaqpscd4pl0in2ifq43duskcr47hmv";}}&_SES11:44
anotheruserSION[payload]=<?php eval(base64_decode("ZWNobyAic3Q0cjciLnBocF91bmFtZSgpLiI3aDMzbmQiOw==")); ?> HTTP/1.1"11:44
anotheruserit's scary.11:44
Psi-Jackanotheruser: STOP.11:44
anotheruser...11:45
Blazemore|Work/ignore anotheruser11:45
Blazemore|WorkPsi-Jack: I've done that, same error. var/syslog is mentioning <group/member="root"> do you know how I can check that's correct?11:45
anotheruserI thought the ubuntu community was supposed to be helpful11:45
Psi-JackBlazemore|Work: Eh?11:46
Blazemore|WorkThe error message from syslog (follows)11:46
Blazemore|Worknslcd[10917]: [8b4567] <group/member="root"> failed to bind to LDAP server ldaps://127.0.0.1:1636: Can't contact LDAP server: No such file or directory11:47
Blazemore|Work"No such file or directory" is new11:47
Psi-JackBlazemore|Work: Do you have TLS enabled on the DS?11:48
Blazemore|WorkNo11:48
anotheruserSo from what i gather, the payload in this attack was just to display the version of PHP. What would you do if you were in my situation? upgrade phpmyadmin, and hope that nothing else is compromised? Are there standard ways to check the security of the server?11:48
Blazemore|WorkJust... idk "normal" SSL?11:48
Psi-Jackanotheruser: I would stop exposing phpmyadmin to the world.11:49
Psi-JackPeriod.11:49
Psi-JackThat's just common sense.11:49
Psi-JackBlazemore|Work: Does nslcd work without the tls_reqcert and ldap:// uri?11:49
Blazemore|WorkI had to do some funky hoop-jumping to turn our .crt and .key files into a .jks that DS can understand11:49
anotheruserwell, i upgraded, and changed the alias, that should be enough for that. What i worry more about is how to know if the hacker did something to take control of the server already or not... and how to know it...11:50
Blazemore|WorkLet me try11:50
Psi-Jackanotheruser: Did you have aide installed and keeping track? Have you been keeping consistent backups?11:50
anotheruserI have backups of databases websites etc., but not of the whole hard drive...11:51
Psi-JackThen you'll never know.11:51
anotheruseri didn't know about aide11:52
anotheruseryou recommend to use it?11:52
Blazemore|WorkThe config file can only be read by root, is that relevant?11:52
rbasakThere is debsums, but that's not really for security verification, and running it offline might be a bit tricky11:52
Blazemore|Worknslcd: no URIs defined in config ...fail!11:52
rbasak(and for checking a system after a compromise you *must* run any checks offline)11:52
Blazemore|WorkThat's what happens Psi-Jack if I comment out the url and tls_reqcert11:52
Psi-Jackanotheruser: It's like tripwire, intended to watch over important stuff, and keep track of them, so if they change, you can see it.11:52
anotheruserI see11:52
Psi-JackBlazemore|Work: Yeah, no shit. Don't comment out the uri, change it to ldap:// non ldaps://11:53
Blazemore|WorkOK11:53
Psi-JackLOL11:53
Blazemore|WorkI'll have to comment out ssl enable as well11:53
Blazemore|WorkNo still hangs on getent passwd without SSL11:54
Psi-Jackanotheruser: As-is, phpmyadmin isn't running as root, or at least it better not be. So whatever exploit they did to phpmyadmin was isolated to just anything owned by www-data user/group.11:54
Psi-JackWelp, dunno then, Blazemore|Work.11:54
anotheruserhmm, i might be able to check all of that against backups11:55
Psi-JackThe little time I dealt with OracleDS, it was okay, but java-based pissed me off to no end, so I went back to my trusty OpenLDAP.11:55
Blazemore|WorkOK well thanks anyway Psi-Jack11:55
Blazemore|WorkAppreciated11:55
Psi-JackAnd like I said, I do OpenLDAP with KerberosV5 auth-bind. So I use it rather extensively. :)11:55
Psi-JackPITA to setup all that, but once it's in place, it's very sexy. :)11:56
anotheruserok, i think i understand better the attack now... It seems it used the phpmyadmin attack to search for another vulnerability, but thankfully my server was resistant to that, so I should be ok.12:07
anotheruserI will install aide as you suggested12:08
anotheruserbut now i wonder, is it reasonable to just remove universe from my apt settings? so that i at least know when i want something that isn't officially supported...12:08
anotheruseryeah it tried to read in /var/lib/php5, which was not readable by www-data12:10
Psi-JackLike I said.12:12
Psi-JackDon't expose phpMyAdmin to the world.12:12
Psi-JackThat's just ignorant and stupid.12:12
anotheruseri naively (ignorantly, if you want) thought that ubuntu kept it up to date12:12
anotherusernow i realize my mistake12:12
Psi-JackThat doesn't even matter!12:13
Psi-JackYou should NEVER expose things like that to the public!12:13
anotheruserok ok, i agree with you on the principle12:13
anotheruserbut the truth is that it's just the same to expose phpmyadmin as exposing say a well known CMS12:13
anotherusera vulnerability will allow to run php on your server just the same12:13
anotheruserok, it's a bit worse for phpmyadmin if he can then access the databases12:14
Psi-JackYa think?12:14
anotheruserbut it would probably be possible anyway, from when you can run php12:14
patdk-wkPsi-Jack, well, if you have that option :)12:14
anotheruserand yes, there is the problem that if your customer want a phpmyadmin, you can't always forbid it12:15
anotheruserI thought it would be better to use the ubuntu included one, rather than have people install it manually and not keep it up to date12:16
anotheruserbut that was my mistake...12:16
anotheruserso... -installing aide - hiding phpmyadmin - other suggestions to improve security?12:18
patdk-wkmod_security?12:18
patdk-wksome good extra rewrite rules to restrict bad things12:18
anotheruseri'm afraid to use too restrictive filter that would prevent legitimate php apps to work normally12:20
patdk-wkheh?12:21
anotheruserwell12:21
anotherusermaybe i'm not up-to-date on what this mod_security is exactly12:21
anotheruserin my mind it was something that checked url, and if detecting attacks, blocked it12:21
patdk-wkyep12:21
anotheruserlike if there is "<script>" it won't be happy etc.12:21
patdk-wkmaybe you should learn how your php apps actually work then12:22
patdk-wknormally when something says, filename=<script> that is bad12:22
anotheruserbut i don't control all the php applications on my server12:22
anotheruserso i'm a bit afraid to use that12:22
patdk-wkdon't control?12:22
patdk-wkis it your server?12:23
anotheruserit is my server, and other people host applications on it12:23
patdk-wkthen you are liable for ANYTHING that server does, whoever it attacks, ...12:23
patdk-wkdoesn't matter who hosts stuff on it12:23
patdk-wkyes, someone rooting your server is annoying12:24
patdk-wkbut then your server attacking the goverment, well, that gets you in trouble12:24
anotheruserthat's not entirely true, legally12:24
anotheruserwell, maybe it depends on the country law, but in my country i'm pretty sure it's not12:24
anotherusera hosting company isn't responsible legally for the content its user upload12:25
anotheruser(though it can be asked to block/remove it)12:25
Psi-Jackanotheruser: Actually it is entirely true.12:25
Psi-JackI mean, just look at what happened to that torrent site, demonoid. It wasn't illegal, technically, to do what they were doing, however, the Ukraine Ambassador went to the US Ambassador, and were convinced to do a full all-out assault on the site and then take down everyone running it.12:27
jdstrandanotheruser: apparmor would be another way to help: http://wiki.apparmor.net/index.php/Mod_apparmor_example12:28
anotheruserok, thanks, i'll look into it12:29
anotheruserand thanks for the other suggestions and all the help12:29
zulsmb: ping12:56
anotheruserPsi-Jack, do you know if apt-get install aide is enough to have a working installation of aide? I mean, is the default configuration by ubuntu enough for basic use? or do I need to manually configure it...13:03
Psi-JackOf course now, you actually have to configure it, d'uh./13:05
Psi-Jacknot*13:05
Psi-JackNEVER just default use anything, especially on a server. Don't be ignorant, use common sense.13:06
Guest81255anotheruser: It has no default configuration.13:06
anotheruserok, thanks13:06
Picinever is pretty strong.  Just be smart about what defaults you choose.13:06
=== Guest81255 is now known as jpds
floogyHi I got an issue to upgrade from oneiric to precise with zentyal installed. slab returns an error and leaves zentyal-core unconfigured. Therefore 20 packages are leaving in an inconsistent state. Ooops now slabd returned only error code 1 and some packages could be configured, but 6 packages are left unconfigured due to that error.13:45
=== n0ts_off is now known as n0ts
floogydpkg --configure slapd Loading the LDIF dump failed, slapadd: line 1: database #1 (dc=mydom,dc=local) not configured to hold "dc=nodomain"; did you mean to use database #2 (dc=nodomain)?13:47
floogy*slabadd13:47
floogyThe first error was related to this https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/100385413:49
uvirtbotLaunchpad bug 1003854 in openldap "Database upgrade/migration fails with nested db directories (lucid to precise)" [Medium,Confirmed]13:49
floogyNow it seems to be something like this: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/97983313:51
uvirtbotLaunchpad bug 979833 in openldap "package slapd 2.4.28-1.1ubuntu4 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1" [Low,Expired]13:51
floogyBut I don't know how, and where to remove that dc=nodomain example13:53
=== cyphermox_ is now known as cyphermox
metap0dHi everyone, I installed Ubuntu Server 12.04.1 (64bit) on a spare machine yesterday. I have given it a static IP but can't reference it by the hostname. On Windows when I ping by the hostname there is something like a 10% chance it actually works ... most of the time resulting in a failure. We have a DNS server which I added the IP/Hostname combo of the server to. (I reference the DNS Server in /etc/networking/interfaces). Do14:04
rbasakmetap0d: sounds like your problem is on your DNS server rather than the server you've just installed. You can check with nslookup on windows14:10
=== n0ts is now known as n0ts_off
metap0drbasak: I got DNS request timed out.     timeout was 2 seconds. Default Server:  UnKnown Address:  192.168.5.2614:15
metap0drbasak: 192.168.5.26 is the DNS server14:15
Davieyroaksoax: hey, was http://iso.qa.ubuntu.com/qatracker/milestones/230/builds/21387/testcases/1288/results done?14:39
Davieyi thought you were doing that last night?14:39
roaksoaxDaviey: that test does not apply to precise14:39
roaksoaxDaviey: it only applies to quantal maas14:40
Davieyroaksoax: ahh, yes14:40
hallynzul: i'm leaving 967435 to you until you say otherwise?14:42
zulhallyn: thanks :)14:43
zulhallyn: do we want 0.10.0 in quantal? it will make things easier in the long run14:43
Davieyroaksoax: hey.. the test case it links to was last edited Install/ServerMAAServer (last edited 2012-03-28 20:59:15 by matsubara)14:44
Davieyroaksoax: so why is this not Precise suitable ?14:44
roaksoaxDaviey: that tests covers " This will test that the MAAS server offers an option to periodically update cloud images."14:45
roaksoaxand "This will test that the MAAS server offers an option to cache archives locally."14:45
roaksoaxwhich are not under Settings14:45
roaksoaxin precise14:45
Davieyroaksoax: i don't follow.14:46
Davieyroaksoax: should it not update to the 12.04.1 images?14:46
arm4ndinaHi, I have an Apache server for which I have set up HTTPS (GnuTLS). When I load a page, sometimes the browser some css/js files or only load some of them... any idea how to solve/diagnose this ?14:47
roaksoaxDaviey: those are cronjobs14:47
roaksoaxDaviey: look at the STEPS:14:48
roaksoaxDaviey: http://testcases.qa.ubuntu.com/Install/ServerMAAServer14:48
Davieyroaksoax: So.. this test should be valid for post 12.04.1 images, when the peer images are released, right?14:49
hallynzul: I'm fine with it, but is it too late?  (FF)14:49
DavieyAs in, cannot be tested until after release?14:49
hallynzul: it has the reboot support?14:49
=== n0ts_off is now known as n0ts
roaksoaxDaviey: those tests are valid for post-precise MAAS releases14:50
zulhallyn: supposedly im looking at the commit right now...it will easier to backport fixes if we need to as well14:50
hallynzul: sounds good14:51
zulsmoser:  what do you think?14:51
Davieyroaksoax: post 12.04 or post 12.04.1?14:51
roaksoaxDaviey: both14:51
roaksoaxDaviey: there are no MAAS releases backported/SRU'd to precise14:52
Davieyroaksoax: hmm, ok.  I don't quite follow, but you seem quite sure :)14:57
roaksoaxDaviey: basically, there's MAAS serttins not released in precise, and that test is asking to test those settings14:59
roaksoaxDaviey: and futhermore, I', not even sure oif they work14:59
roaksoaxs/if/that14:59
Davieyheh15:02
smoserwhats the question?15:03
capitaninsaneohI'm trying to host a webserver that requires SSL on a firewall I have and I've got a few questions about IP's.  Do I have to give my server 2 IP's?  My firewall uses SAT so I would have to have one address that is internal and one that is publicly available right?  Do I just create a sub interface or should I use another nic?15:26
metap0dHi everyone, I installed Ubuntu Server 12.04.1 (64bit) on a spare machine yesterday. I have given it a static IP but can't reference it by the hostname. On Windows when I ping by the hostname there is something like a 10% chance it actually works ... most of the time resulting in a failure. We have a DNS se15:28
=== n0ts is now known as n0ts_off
capitaninsaneohmetap0d, did you put an A record in your DNS server?15:29
rbasakmetap0d: it still sounds like a problem on your DNS server. Is your DNS server running Ubuntu? That's what you need to focus on.15:30
metap0dcapitaninsaneoh: I won't lie in saying I don't know much about this, the DNS server is a Microsoft Server 2008 machine. I added a DNS entry of type Host (A) with the name of the Ubuntu Server and Data as the IP Address15:32
metap0drbasak: It's running Microsoft Server 200815:32
capitaninsaneohmetap0d, make sure you (your client) is pointed at that DNS server.  Run nslookup and dig for that record15:33
rbasakmetap0d: ok, so if the problem is that your windows machine can't look up the IP address of your ubuntu server using your windows DNS server, then Ubuntu has nothing to do with your problem.15:33
rbasakmetap0d: you can isolate this with nslookup on your windows machine15:33
metap0dWhat would I be looking for with nslookup? ;o15:34
rbasakmetap0d: a common misconfiguration I've seen in the field in the windows world is that multiple DNS servers are configured on client machines, some pointing to active directory, and some pointing to an ISP directly.15:34
rbasakmetap0d: sorry, I can't remember how to operate windows nslookup. You're in the wrong place for this kind of question!15:34
capitaninsaneohAnyone good with NAT/SAT on Apache15:35
metap0drbasak: I'll ask just one more since I'm off topic, what did you want me to run the nslookup on, the DNS server?15:35
capitaninsaneohI'm not sure if I need two nics or just one15:35
rbasakNo, on your windows machine where your ping doesn't work from15:35
capitaninsaneohmetap0d, on the client (your desktop)15:35
metap0dno i mean i know to run nslookup on my machine ... but to what IP?15:36
capitaninsaneohmetap0d,  do ipconfig /flushdns15:36
=== railsraider_ is now known as railsraider
capitaninsaneohThen test for that machine15:39
metap0dcapitaninsaneoh: Sorry to test your patience, but I flushed the DNS and am ready to run the nslookup ... but it asks for an IP/Hostname. I ran nslookup SK-Server on my client but it finds Server:  UnKnown Address:  192.168.5.26  *** UnKnown can't find SK-SERVER: Non-existent domain15:42
arosalesutlemming: looks like cloud images test ok for 12.04.115:43
utlemmingarosales: yes, other than some invalid test cases in the tracker things look good15:44
arosalesutlemming: thanks for testing that.15:44
arosalesutlemming: to confirm I have your ack on signing off on the cloud images for https://wiki.ubuntu.com/PrecisePangolin/ReleaseManifest/12.04.115:44
=== n0ts_off is now known as n0ts
capitaninsaneohAnyone good with NAT/SAT wirewalling and multiple IPs on Apache15:49
ikoniawhat ?15:49
capitaninsaneohAnyone good with NAT/SAT firewalling issues and multiple IPs on Apache15:51
capitaninsaneohfirewalling... sorry15:52
ikoniawhy don't you just state the problem.......15:52
capitaninsaneohI'm trying to host a webserver that requires SSL on a firewall I have and I've got a few questions about IP's.  Do I have to give my server 2 IP's?  My firewall uses SAT so I would have to have one address that is internal and one that is publicly available right?  Do I just create a sub interface or should I use another nic?15:52
capitaninsaneohThere it is =)15:52
ikoniayou are doing the address translation on the firewall /15:53
ikonia?15:53
* patdk-wk is more confused15:53
patdk-wkare the webserver and firwall the *same* computer?15:53
ikoniayeah the "on a firewall" wording isn't helpful15:54
capitaninsaneohpatdk-wk, , no i have a sep hardware firewall15:54
ikoniacapitaninsaneoh: are you installing this on ubuntu yes/no15:55
capitaninsaneohikonia, Yes my server is on Ubuntu server15:55
ikoniacapitaninsaneoh: right, so you are not installing "on a firewall"15:55
ikoniayou are installing on a server that sits behind a firewall, yes/no ?15:55
capitaninsaneohikonia, YEs behind a hardware firewall15:55
ikoniacapitaninsaneoh: the firewall is doing the IP address translation yes/no15:56
capitaninsaneohthat is what NAT/SAT means15:56
ikoniano it doesn't15:56
capitaninsaneohIn this case it does15:56
capitaninsaneohI have a hardware firewll15:56
ikoniatell you what, sort it yourself15:56
capitaninsaneohnot using Iptables15:56
ikoniaif you can't be bothered to answer questions I'm going out of my way to be clear on, sort it yourself15:56
capitaninsaneohI'm answering them15:56
ikoniaargue your poor wording with someone else.15:57
capitaninsaneohI'm just trying to be clear15:57
capitaninsaneohikonia, go not help someone else15:57
ikoniaunderstood,15:57
capitaninsaneoh=)15:57
=== n0ts is now known as n0ts_off
jdstrandzul: one last question on the cinder mir16:09
jdstrandzul: hi btw :)16:09
josePhoenixI think automatic upgrades got me in a pickle16:24
josePhoenixIt started installing a new kernel version but couldn't because /boot was full16:25
josePhoenixNow I can't remove old kernel packages because it says there are uninstalled dependencies16:25
anotheruserjosePhoenix, when apt is broken you can try to remove manually things with dpkg... but caution with that, or you'll have a totally unusable system :)16:34
josePhoenixif I'm running a 3.0 series kernel... I can safely remove the 2.6 packages, right?16:34
anotheruserremoving with apt is safe yeah (if it works)16:35
josePhoenixWell, apt won't work.. it hits me with the "the following packages have unmet dependencies" when I try to do apt-get remove linux-image-2.6.38-11-server16:36
anotheruserwhat package, if i may ask?16:36
anotheruseror several?16:36
anotheruserthere is also the apt-get with the -f option to try to fix broken installations16:37
anotherusersometimes that work16:37
genii-aroundjosePhoenix: If you have another partition/disk with more room, you can make a boot directory there, copy the current contents over to it, then bind-mount it long enough to uninstall stuff. Then you can un-mount it, mv the dir back to original spot overwriting whats there.16:38
anotheruserand only if nothing else work, you can try with dpkg directly, as i said (dpkg --remove or something), which always work, but can break things further if you're not careful16:39
=== dendrobates is now known as dendro-afk
josePhoenixanotheruser, genii-around: here's what I have tried (apt-get -f install and apt-get remove) http://dpaste.org/U1vk9/16:40
=== dendro-afk is now known as dendrobates
zuljdstrand: ping for the /usr/share/cinder/rootwrap it looks like an optional directory for other distros its empty for us16:41
anotheruserjosePhoenix, I would start by removing the newly installed packages that weren't fully installed16:41
anotheruserthen remove older kernels with apt16:41
anotheruserthen install again the new one16:41
anotheruserall of this should normally be possible with apt16:41
genii-aroundjosePhoenix: I'm not suggesting any arcane apt or dpkg commands. Merely to fix: "<josePhoenix> It started installing a new kernel version but couldn't because /boot was full" by temporarily giving the /boot directory more room on another drive or partition16:42
anotheruserjosePhoenix, hmm actually the package that has problem is linux-image-server which you need obviously, so my solution isn't exactly correct i guess16:43
anotheruseror is it possible to remove it without removing anything else? i'm not sure in truth, i don't use the server packages '^^16:44
josePhoenixgenii-around: that sounds like the easiest solution actually, I just don't remember how to bind mount stuff (haven't done it since I did a Gentoo install about five years ago xD)16:45
anotheruserif you can, just apt-get remove linux-image-server, then removing old kernels, then installing linux-image-server would fix it... .but that only works if removing linux-image-server breaks nothing :-)16:45
anotheruseri have no idea if other packages depend on linux-image-server16:47
josePhoenixOkay, well I must go for now.. but back to this shortly16:49
genii-aroundeg: If you have room on sdb1 which is mounted say at /mnt   .. sudo mkdir /mnt/boot && sudo cp -arv  /boot/*  /mnt/boot && sudo mount --bind /mnt/boot /boot  ... then in here you do the apt-get stuff that was previously failing due to no space on /boot  ... then sudo sync && sudo umount /boot && sudo mv /mnt/boot /boot16:51
anotheruserit seems nothing depends on linux-image-server, so my solution probably works16:52
ubuntu_12hello, i have a question about a black screen issue on an 12.04 64 bit install16:57
ubuntu_12i have tried the nomodeset fix but it does not seem to help16:57
=== mcclurmc is now known as mcclurmc_away
=== n0ts_off is now known as n0ts
=== n0ts is now known as n0ts_off
=== nrd is now known as nerdux
=== lordievader_ is now known as lordievader
poningruhey guys how long is the lts releases supported for the server os?18:45
andolponingru: Five years, and as of 12.04 that goes for the Desktop too.18:46
andol...and that last part is good news even server side, sparing you from having to concern yourself with whatever a package is a server package or not.18:47
poningruindeed18:47
poningruwe are just now switching to 12.0418:47
poningruthanks andol18:50
andolnp18:50
arrrghhhhey all.  anyone know how logrotate works?  i don't see a cron job for my user or root, but i assume logrotate runs on a regular basis?18:53
andolarrrghhh: No /etc/cron.daily/logrotate file?18:54
geekbriThat is indeed where it lives.18:54
arrrghhhah i didn't think about looking there.18:54
arrrghhhi was always looking at crontab, thanks.18:54
arrrghhhso i'd guess that means it runs daily?  :P   at midnight?18:55
geekbriMine runs at 062518:58
geekbriif you look in /etc/crontab you can verify when your cron.daily runs18:59
arrrghhh062519:02
arrrghhhthx :)19:02
=== arrrghhh is now known as Arrrghhh
=== Arrrghhh is now known as arrrghhh
josePhoenixHello all19:23
josePhoenixI'm trying to work around a full /boot and borked apt-get install19:23
anotheruserjosePhoenix, have you tried my solution19:25
=== railsraider_ is now known as railsraider
=== jibel__ is now known as jibel
=== cpg|away is now known as cpg
josePhoenixanotheruser: I actually did get the bind mount thing to work20:43
anotheruserok, good then20:43
josePhoenixCan't reboot the server though :|20:44
anotheruser(though i think it was a lot of work for something much easier to solve :p)20:44
anotheruserhem20:44
anotheruserso you mounted to another boot, which was a copy of your old boot, installed the kernel, removed old kernels, copied the new boot to the old boot, and tried to reboot20:44
anotherusercorrect?20:44
josePhoenixwell, I know how mount, cp -a, and rm work... and I can't claim the same familiarity with dpkg and apt20:44
josePhoenixI mean, it might be fine. I just can't reboot it until I have access to a windows machine, because my IT department is stupid20:45
anotheruseroh, ok20:45
anotherusermisunderstood :)20:45
josePhoenixThe VMWare console program only works on windows.. remarkable shortsightedness, don't you think?20:46
josePhoenixWell, we won't know if anything works until tomorrow evening at the earliest :D Gotta move across the country20:47
=== cpg is now known as cpg|away
=== cpg|away is now known as cpg
=== cpg is now known as cpg|away
=== cpg|away is now known as cpg
=== zyga_ is now known as zyga
=== Ursinha` is now known as Ursinha
=== dendrobates is now known as dendro-afk
dan64I have a user on my system name "nobody" created by a server I am using to serve cgi scripts. I would like to be able to use nice in the cgi scripts, so I added the following to /etc/security/limits.conf: "nobody - nice -20". It works when I also add the same line for another user (myself), but it doesn't work in isolation. Any ideas?23:29
SpamapSdan64: those limits are not applied to services23:42
SpamapSdan64: thats a pam-session thing23:42
=== cpg is now known as cpg|away
=== dendro-afk is now known as dendrobates
dan64I am launching the cgi-server manually. It's not starting as a service. Something I just noticed is that I can nice a process as nobody with just my username in limits.conf, and not nobody.23:58

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!