/srv/irclogs.ubuntu.com/2013/01/10/#ubuntu-server.txt

=== slank is now known as slank_away
ddsss	what is export DEBIAN_FRONTEND=noninteractive for?	00:36
sarnold	ddsss: to keep debconf from stopping an install to ask you a question	00:41
ddsss	sanderj_, makes sense. thanks	00:45
ddsss	sarnold, makes sense. thanks	00:45
jnix	howdy, the time has come for me to familiarize myself with ubuntu administration, any suggestions on where to start?	01:54
jnix	my bacground is with RHEL (RHCE)	01:54
lifeless	the wiki perhaps?	01:55
jnix	hoping to get fairly decent with it so i can start badgering my company to start supporting it too	01:56
jnix	the way you guys do apache is a ton different, this is my first area of study	01:58
sarnold	jnix: this may be a good starting point: https://help.ubuntu.com/12.04/serverguide/httpd.html	01:59
jnix	the serverguide, this looks like exactly what i'm trying to find, sweet	01:59
jnix	first step is to stop trying to use chkconfig ;)	02:00
sarnold	hehe	02:01
sarnold	jnix: you'll probably need this bookmarked, at least for a while: http://upstart.ubuntu.com/cookbook/#override-files	02:02
jnix	will do, started my learning process by installing 12.04 on my home server, running a minimal kvm hypervisor currently, now i need to get my php scripts working again	02:03
jnix	thank goodness theres so much documentation out there	02:03
jnix	sweet.. i can use kickstart files with ubuntu!	02:07
IdleOne	pangolin: would you please stop trying to log into my nickserv account	04:45
IdleOne	every time you do nickserv sends me a notice.	04:45
IdleOne	that'll learn you	04:46
elkingrey	I'm in the process of learning my first programming language, Python. I'm still sort of a tech noob. I've been using Linux for three years. I built a VPS by following directions. I still host my own website. But anywho, I feel like I need to gain a better understanding of things like Apache, sockets, tcp/ip, and so many more things that I don't even know I need to know. What I'd really like is to be able to thorough know and understand my LAMP	05:02
elkingrey	stack and be a good sys admin for my server. For example, I run my own mail server. I never maintain it. It works and I can send and receive my email, but often times mail gets returned for being considered spam. Somebody once excoriated me because I don't know how to properly run a mail server, and that's why there's so much spam in the world. I don't even know where to go to learn how to be a good sys admin. I browsed some books on oreilly.co	05:02
elkingrey	m, but didn't find anything that relevant. Can somebody give me some good book recommendations to be a good sysadmin so that I can be a better programmer?	05:02
sarnold	elkingrey: wow, that's years worth of knowledge and experience you're looking to acquire :)	05:49
sarnold	elkingrey: knowing how things works is always worthwhile though; I strongly recommend W. Richard Steven's Advanced Programming in the Unix Environment for a good, all-around introduction to the operating system. It'll be too detailed in many places, but it'll be a fantastic reference for the next decade or two.	05:50
sarnold	elkingrey: understanding TCP/IP deeply is also extremely helpful; W. Richard Stevens also has many good TCP/IP books; I _think_ TCP/IP Illustrated is probably the series to get. Skip over the XPI and STREAMS stuff. Read the T/TCP stuff but realize none of it is going to happen.	05:52
sarnold	elkingrey: I learned absolute tons about email from reading the three-inch-thick ora sendmail book, but I wouldn't wish sendmail on anyone; postfix's manpages are good and detailed but I haven't found a similarly good "overview" page of the thing.	05:54
elkingrey	sarnold: Browsing your recommendations now. Thanks!	05:57
sarnold	elkingrey: hrm, I just now remember that djb's qmail docs seemed good, when I read them 10~13 years ago. I bet they'd hold up well, those might help provide some nice perspective on things	05:58
elkingrey	sarnold: Here's a book that looks important. http://shop.oreilly.com/product/9780596002978.do	06:06
sarnold	elkingrey: ah, yes!	06:21
sarnold	elkingrey: I read an earlier version of that book, I thought it was a touch light in places, but it'll probably serve you better than TCP/IP Illustrated.	06:22
sarnold	elkingrey: this website will help you understand some of the deep deep linux networking magic: http://www.lartc.org/	06:26
koolhead17	hi all	07:54
=== smb` is now known as smb
=== tspxx is now known as tspx
=== IdleOne is now known as io
_ruben	oh boy .. do i get to hate perl's RRDs module's thread unsafety .. sigh	10:06
io	you seem intent on using that nick and trying to identify to it	10:15
io	pangolin: feel free to register the nick. I ungrouped it.	10:16
=== yofel_ is now known as yofel
pgp	Hi, i got problem with my ubuntu server, eth0 isnt coming on after a scheduled reboot :(	10:44
pgp	i can see the network controller in lspci	10:45
pgp	i keep getting msg No DHCPOFFERS received.	10:45
pgp	anyone please.	10:47
SuperMatt	well, sounds like your DHCP isn't offering it an IP address	10:48
pgp	well i've tried same router plugged into windows machine.	10:48
pgp	picks up fine	10:48
pgp	with same cable	10:48
SuperMatt	weird	10:48
pgp	when i do ifconfig eth0 it isnt showing me any ip address.	10:48
pgp	routing table is empty	10:49
SuperMatt	well it sounds like your router just isn't offering the ip address... have you tried rebooting/resetting the router?	10:49
pgp	its working fine with other devices SuperMatt...	10:50
pgp	also i dont know if i should be alarmed.	10:50
pgp	ethenet lights do not lit up?	10:50
pgp	on my ubuntu server.	10:50
SuperMatt	ah	10:50
pgp	where the cable goes in.	10:50
SuperMatt	sounds like there's a physical problem	10:50
pgp	bummer!	10:50
SuperMatt	as in, the connector just isn't working	10:51
SuperMatt	ubuntu may recognise the chip, but it sounds like the port is deaded	10:51
SuperMatt	though have a look inside the port for some fluff, maybe	10:51
pgp	ok	10:52
pgp	no luck...	10:53
pgp	am i correct in thinking that lights should lit up no matter wt?	10:53
SuperMatt	when I went to uni, I had an ethernet port in my room. I couldn't plug in my ethernet cable, so I investigated. I found a broken off "tab" from the last user's ethernet cable	10:53
SuperMatt	some people just don't know how to remove ethernet cables	10:53
SuperMatt	yeah, one should come on straight away	10:54
SuperMatt	it basically means it has power	10:54
SuperMatt	shouldn't matter if the os have brought the device up	10:54
pgp	i thought so,	10:54
pgp	well nothing changed really, only change that happened was scheduled reboot	10:54
pgp	and after that it never came back on	10:54
SuperMatt	hurm	10:55
SuperMatt	have you checked the bios? could be a bios option changed to turn it off	10:55
pgp	checked already	10:55
pgp	disabled and re-enabled.	10:55
SuperMatt	I'd be looking in to getting another nic then	10:56
SuperMatt	is it on the motherboard or is it a daughter board?	10:56
pgp	onboard :(	10:56
SuperMatt	I think it's new nic time then	10:56
pgp	i got a usb wifi stick	10:57
pgp	is it straight forward to configure them from command prompt	10:58
avickery	I installed Ubuntu desktop a while back and then installed each lamp component manually. Worked great. I could access the server from any device in the house by browsing to http://xx.local. I wanted learn more about the command line so I installed ubuntu server and did the same manual install of LAMP. I can access it by IP address but not by name, what gives?	13:14
ogra_	you want avahi-daemon to get the .local domain	13:16
avickery	Is it not installed by default and do I need to get rid of bind9?	13:18
ogra_	it is installed on the desktop but not in servers by default	13:19
ogra_	no idea if it clashes with bind	13:19
ogra_	i doubt it though	13:19
=== cpg is now known as cpg\|away
avickery	sudo apt-get install avahi-daemon?	13:19
ogra_	right	13:21
ogra_	if it doesnt work OOTB restert your network or reboot	13:21
avickery	Rock n' Roll. Worked in like 2 seconds. You rule! Thank you!	13:22
=== Ursinha is now known as Ursinha-afk
mah454	Hello	14:04
mah454	How can do this ? http://www.linuxquestions.org/questions/linux-networking-3/vpn-connection-peer-user-4175444976/	14:05
samba35	is it advisable to install pre-release package ?	14:14
gema	Daviey: ping	14:25
Daviey	gema: pong-a-dong	14:26
sw	Hi, is there a guide for upgrading a 12.04 server -> 12.10 via command line?	14:29
[conrad]	sw: do-release-upgrade should do the trick for you. I'm not sure if this is still the case, but a month or two ago when I used that approach to go to 12.10, I had a few additional steps because 12.10 was not considered stable.	14:30
[conrad]	Has something changed with isc-dhcp-server in Ubuntu 12.x ( in this case using the Alternative CD to do an LTSP server install? ). I had previously used deny unknown-clients; in combination with the removal of the range ( as proposed by shauno and patdk-lap ), and found this to work as expected, which was to allow a second DHCP server to run in our environment exclusively for thin clients who are "approved" via a host definiti	14:32
[conrad]	on with static ip's by MAC addresses, without interfering with the first ( which handles all other devices on the network ). Since deploying the 12.04 item, we've found some devices seem to still try and make a request from the DHCP server ( for which they are never given a response, which is partially correct )	14:32
ogra_	sw, you need to edit /etc/update-manager/release-upgrades on 12.04 to use non LTS for upgrading (by default 12.04 would only upgrade to 14.04), then use do-release-upgrade	14:33
sw	ogra_ Thanks.	14:40
hallyn	jamespage: ping on ipxe push?	14:46
M0rsa	Hello. Has anyone used squid and snort together over a bridge connection before. I've asked here before but I just got some guy saying it won't work w/out giving me any reason why	14:51
* jamespage puts down jenkins for a bit		14:51
jamespage	hallyn: sorry - been dealing with a jenkins security issue	14:51
jamespage	hallyn, I'll look right now	14:51
M0rsa	Hello?	14:52
M0rsa	Anyone live here?	14:52
M0rsa	Hello?	14:52
M0rsa	Anyone here?	14:52
jamespage	bye	14:53
jamespage	hallyn, is the end plan to get rid of kvm-ipxe? i.e. transition to ipxe-qemu?	14:55
feisar	I have 12.04 server running with raid1 and I'd like to install the grub bootloader on both disks (sda, sdb) but I'm getting the following error: '/dev/mapper/../dm-0 does not have any corresponding BIOS drive'. Could anyone point me in the right direction?	14:58
feisar	(the command I'm running is sudo grub-install --recheck /dev/sda)	14:58
patdk-wk	you install it to sda and sdb	15:02
feisar	well I need the system to boot even if I remove a failed disk, at the moment it will only boot if one specific drive is plugged in	15:05
feisar	sda and sdb make md0 (raid1)	15:05
feisar	but I think at the moment grub2 is only installed on the mbr of sda	15:06
feisar	if that makes sense	15:06
feisar	should I be running 'grub-install /dev/md0'?	15:08
sw	Hi, if I wanted to block all traffic apart from SSH connections on port 22 from 192.168.0.2, can someone give an example of the command?	15:10
feisar	use ufw	15:12
feisar	ufw default deny	15:12
feisar	ufw allow tcp/22	15:13
feisar	ufw emable	15:13
feisar	*enable	15:13
=== slank_away is now known as slank
feisar	oh sorry that allows any connections to 22	15:13
sw	Why ufw over iptables?	15:14
hallyn	jamespage: probably	15:14
feisar	ufw creates your iptables rules for you	15:14
sw	So again, why ufw over iptables?	15:15
hallyn	jamespage: but at the moment i wanted to minimize the already huge # of moving pieces	15:15
jamespage	hallyn, so why not just depend on kvm-ipxe until we are ready to change its name?	15:15
feisar	sw: ufw allow from 192.168.0.2 to any port 22	15:16
jdstrand	sw: ufw is a frontend for iptables. it handles common situations and integrates into the boot process. it provides an easy mechanism to update your firewall and a framework for configuring it	15:16
jdstrand	sw: it works particularly well as a host-based firewall. you can learn more about it with 'man ufw' and 'man ufw-framework'	15:17
hallyn	jamespage: to minimize the delta from debian for qemu...	15:18
hallyn	i'm trying to make future merges as simple as possible	15:18
jamespage	hallyn, ah - so qemu in debian depends on ipxe-qemu?	15:18
hallyn	right	15:18
hallyn	kvm-ipxe (/qemu-ipxe) also needs to drop 3 of the links it ships so qemu can ship them as it does in debian, but again i'm putting that off right now	15:19
sw	jdstrand So why should it be used over iptables?	15:19
sw	Or, 'instead of using iptables directly', I mean.	15:19
feisar	sw: if you want to use iptables, go ahead, or you could use ufw to create some iptables rules for you, either is fine. ufw is a little easier	15:20
jdstrand	sw: because it makes things easier for you	15:20
jdstrand	sw: if you don't care about that, use iptables	15:20
jdstrand	directly	15:20
sw	jdstrand I'm not saying I don't care, I'm asking a question as to how. And so far all I've gathered is 'it's just easier'. How is it easier, is what I'm asking?	15:21
jdstrand	sw: I just said why it is easier: it handles common situations and integrates into the boot process. it provides an easy mechanism to update your firewall and a framework for configuring it'	15:22
sw	Common situations?	15:22
jdstrand	sw: perhaps perusing https://wiki.ubuntu.com/UncomplicatedFirewall would demonstrate it better	15:22
feisar	sw: I gave you the commands you need to achieve what you want, using ufw. What you want to achieve is a common request. use those commands and get up and running or go and learn how to create rules directly using iptables	15:23
sw	Or you could have just given the iptables command, which is the question that was asked?	15:24
sw	Thanks anyway.	15:24
jdstrand	sw: iptables rules are not persistent	15:25
jdstrand	sw: and a simple iptables rule isn't enough to configure a firewall for the system	15:25
ssvss	HI, I have ubuntu-server running in virtual box. I wanted to increase the hd size. from the virtual box side I have increased the size. it shows the new size when checking from the host. how can I extend the hd size in the ubuntu-server guest machine.	15:25
jdstrand	sw: so you need to do things like configure ingress, egress, dhcp, logging, loading the firewall on boot, etc	15:26
jdstrand	sw: and ufw provides that	15:26
jamespage	hallyn, OK - I understand - working right now	15:26
jdstrand	'sudo ufw allow OpenSSH && sudo ufw enable' and you have a working firewall. to see what it is doing under the hood, read the man pages I mentioned and look at the rules in /etc/ufw	15:27
feisar	how do I install grub on the mbr of a disk when the disk is part of a raid1?	15:29
sw	jdstrand so ufw enable;ufw default deny;ufw allow from 192.168.0.2 to any port 22 does more than iptables -A INPUT -s 192.168.1.0/24 --destination-ports 22 -j ACCEPT; iptables -P INPUT DROP?	15:31
feisar	they would do different things	15:33
jdstrand	sw: yes (and you could just use 'ufw allow from 192.168.0.2 to any app OpenSSH ; ufw enable'	15:33
jdstrand	sw: like I said, it makes it so your rule is applied on reboot. sets up allowing dhcp, etc	15:33
sw	jdstrand Ok I'll use that, just seems odd 'speaking to it' rather than the default --options.	15:34
jdstrand	sw: to learn more, examine /etc/ufw/*rules and 'man ufw-framework'	15:35
=== Ursinha-afk is now known as Ursinha
jamespage	hallyn, uploaded	16:20
hallyn	jamespage: thanks!	16:24
* hallyn biab		16:24
=== slank is now known as slank_away
=== slank_away is now known as slank
thesheff17	anyone know allot about unattended-upgrades....I'm starting to test this some with 12.04 and some machines get 20auto-upgrades.ucf-dist	16:56
thesheff17	and the apt-get complains	16:56
matt_keys	I could use some help troubleshooting a Marvell 88E8001 GbE NIC on 12.10amd64 desktop. the link shows up, however it won't ping the gateway and the gateway can't ping it. ifconfig shows 2 "overruns"... i'm not sure what that means	17:05
matt_keys	pastebin.com/zmFTBwk2	17:05
=== slank is now known as slank_away
matt_keys	this nic is dedicated for iscsi traffic. the other nic, eth0, is connected the exact same way and is working fine. i did have mtu set at 9000, but i backed it back down to 1500 and restarted to see if that was the cause. the switches are all "dumb"	17:08
=== slank_away is now known as slank
ssvss	q	17:17
ssvss	Hi, when I run ubuntu server as virtuabox guest. when I increase the hd size from 8GB to 50GB, the ubuntu-server guest doesn't recognize the increased size. but the same works fine on ubuntu-desktop.	17:38
ssvss	After increasing the hd size, following command "blockdev --getsize64 /dev/sda5" in server shows the old hd size, but in ubuntu-destop it shows the increased hd size correctly	17:39
ssvss	any idea what I can do further to make it work in the server.	17:39
patdk-wk	reboot	17:39
patdk-wk	dunno if a scsi rescan would do it or not	17:40
ssvss	I increase the hd size after powering down the vm only. and check the size after a fresh boot	17:40
patdk-wk	how did you check the size?	17:40
ssvss	I used this cmd - ""blockdev --getsize64 /dev/sda5'	17:41
patdk-wk	why would you expect it to change size?	17:41
patdk-wk	you checked the size of a partition, not the disk	17:41
sarnold	I thought '5' was special, used for storing the _other_ extended partitions?	17:43
patdk-wk	partitions 1-4 are REAL mbr partitions, 5+ is for logical partitions	17:43
patdk-wk	or extended partitions	17:43
patdk-wk	still, it's a partition, not a disk	17:43
patdk-wk	you checked the partition size, not the disk size	17:44
RoyK	patdk-wk: extended partition must be on 1-4	17:44
RoyK	logicals inside one extended	17:44
patdk-wk	confusing, it's just a partition containing partitions :)	17:44
RoyK	patdk-wk: and you can have only one extended partition...	17:48
patdk-wk	not sure, never used them	17:49
sarnold	this kind of fiddly old stuff is why I've stuck to / /boot swap /home on my drives -- anything finer-grained means figuring out the odd details.	17:49
patdk-wk	oh, I do have /boot, /, /home, /usr, /var, /??? seperate on many systems	17:49
RoyK	patdk-wk: beleive me on that ;)	17:49
patdk-wk	but those systems don't use partitions	17:49
RoyK	patdk-wk: having /usr on a separate partition is so ninetees :)	17:49
patdk-wk	not when it causes the system to take forever to boot	17:50
patdk-wk	my freebsd systems, won't boot till fsck is done on the /, so I make it only like 1gig	17:50
patdk-wk	and everything else seperate	17:50
RoyK	doesn't fbsd have journaled filesystems these days?	17:51
patdk-wk	these days/ probably	17:51
patdk-wk	3years ago when it was setup? using ufs2	17:51
patdk-wk	I think it's ufs they use	17:51
* RoyK concludes that sitting mostly still for three months and then taking a small hour's bike ride makes some bodyparts ache...		17:52
sarnold	RoyK: iirc, journalled softupdates is work-in-progress	17:52
RoyK	k	17:52
ssvss	I am not sure why I used /dev/sda5. I followed an advice from vbox channel. Now when I check the disk size using "fdisk -l", it shows the increased size. any help on how I can extend the partion to increased size.	17:53
ssvss	https://gist.github.com/4504203	17:53
patdk-wk	ssvss, hmm, it should never auto-expand automatically	17:54
patdk-wk	you just need to use whatever patition program you want, gparted, fdisk, parted, ...	17:54
patdk-wk	and increase it	17:55
patdk-wk	then you will have to run resizefs to increase the filesystem	17:55
RoyK	patdk-wk: or resize2fs	17:56
patdk-wk	something like that	17:56
RoyK	exctly like that (if on ext[234])	17:56
patdk-wk	won't bash spellcheck? :)	17:56
RoyK	or autocomplete...	17:56
RoyK	well, it suggests alternate commands	17:57
RoyK	so yes	17:57
=== slank is now known as slank_away
Flavr	hello guys :)!	18:20
SpamapS	you know, even though hpcloud doesn't have a local mirror.. it downloads packages pretty darn fast from the main mirrors	18:21
Flavr	Anyone got any idea how to set up hiphop php ? :o	18:21
SpamapS	Fetched 55.0 MB in 17s (3197 kB/s)	18:21
SpamapS	Flavr: how many requests per second do you handle across all of your servers?	18:21
sarnold	SpamapS: not bad, faster than my home connectin anyway	18:22
SpamapS	sarnold: well its faster than my 20Mbit too. :)	18:22
Flavr	Spamaps We got big sponsors wait second	18:22
SpamapS	Flavr: if its less than 10000, you don't need hiphop php.	18:22
=== mrjazzcat is now known as mrjazzcat-afk
Flavr	We got server with 16 cpu 16gb ram and 200gb.... and we are setting up it on short url service...	18:23
SpamapS	one server	18:24
Flavr	tup	18:24
Flavr	yup	18:24
SpamapS	Flavr: http://www.hilarious-pictures.com/sites/www.hilarious-pictures.com/files/images/youre-doing-it-wrong.jpeg	18:24
Flavr	Sure I am, JUST designer...	18:25
Flavr	Who need developers...	18:25
SpamapS	Flavr: let me introduce you to this cloud thing...	18:25
Flavr	Its cloud server :o	18:25
SpamapS	right, but you're still doing it wrong	18:25
Flavr	cloud server node *	18:25
SpamapS	see the point is lots of cloud nodes	18:25
SpamapS	not one big one	18:25
Flavr	i see :o	18:26
Flavr	so you just say i sould run normal lamp stack ? :o	18:26
SpamapS	Flavr: in your situation, I'd recommend a PaaS	18:26
Flavr	what about tornado web server ?	18:26
SpamapS	Flavr: let people who know how to scale php do it for you.	18:26
Flavr	okey so what about the future.... if we get bigger and get more requests... sould we then move to hiphop ?	18:27
SpamapS	Flavr: look at what hip hop tells you. Its not like, 5x faster or anything	18:32
Flavr	okey... so what about tornado web server ? :o	18:32
Flavr	any benefits ?	18:32
SpamapS	Flavr: never heard of it	18:32
SpamapS	Flavr: honestly, your problem is not your software. Its your architecture.	18:33
=== gary_poster is now known as gary_poster\|away
Flavr	its from facebook too... lol	18:33
SpamapS	Flavr: let s PaaS vendor do this for you. They'll scale the PHP out, and handle things like databases and loadbalancers.. you just write your code.	18:33
Flavr	Tornado is an open source version of the scalable, non-blocking web server and tools that power FriendFeed. The FriendFeed application is written using a web framework that looks a bit like web.py or Google's webapp, but with additional tools and optimizations to take advantage of the underlying non-blocking infrastructure.	18:34
Flavr	SpamapS lol :p	18:34
Flavr	I am designer...	18:34
SpamapS	right	18:34
Flavr	We are looking for developers...	18:34
SpamapS	who isn't?	18:34
Flavr	Just trying... to figure what would ok to do...	18:34
=== gary_poster\|away is now known as gary_poster
Flavr	Btw.... any idea how we could handle out multiple requests... like randomly... generates... flvr.io flvr.me flvr.im	18:36
TheBronx	hi all!	18:53
TheBronx	I need help again, under a syn flood attack I see this message: "dst cache overflow" a lot of times.	18:54
TheBronx	and the network goes down until I force a remote restart of the server	18:55
TheBronx	is it possible to solve this problem?	18:55
=== slank_away is now known as slank
sarnold	TheBronx: talk to hetzner. get them to nail down the largest sources upstream.	18:56
TheBronx	hey, hi sarnold! upgrading to ubuntu 12 solved the first problem (the link up problem) hehe	18:56
TheBronx	it is not hetzner directly, it is "providerservice.com", and they told me they don't provide any firewall	18:57
TheBronx	so I'm trying to mitigate the problem just with software...	18:57
Flavr	iptables ? :o	18:58
TheBronx	csf yeah	18:58
TheBronx	with SYNFLOOD activated	18:58
TheBronx	wait a second	18:58
Flavr	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP	18:58
sarnold	TheBronx: heh, nullrouting flood sources is just part of being a network provider, I'm afraid. I'd expect them to call hetzner then and push for the largest sources of flooding to be ignored for a while..	18:59
TheBronx	http://pastebin.com/rxBN6HU1	18:59
sarnold	TheBronx: glad to hear the one problem went away on upgrade though :) woo	18:59
TheBronx	as you can see CSF was doing great xD but then the error came up	19:00
TheBronx	they provide a "blackhole" when I'm under attack	19:01
sarnold	they switched attacks from syn to random udp flooding	19:01
TheBronx	but once the server is up, they attack again and again and again... and tomorrow will be 7 days under attack	19:01
Flavr	If you are not running a game server and are a victim of UDP attacks, request from your hosting provider that UDP traffic to your IP address or IP addresses are blocked. Most VPS or hosting providers will be more than glad to implement preventative measures to prevent problems to their network and customers.	19:02
TheBronx	yeah, I don't need UDP at all. But the attack is against port 80 TCP	19:02
Flavr	got apache installed ? :o or what ?	19:04
TheBronx	yes, but apache is not the problem. The network crashes, apache is idle	19:04
TheBronx	so, what does "dst cache overflow" mean? is it possible to increase the size of that buffer?	19:05
Flavr	mod evasive got ? :o	19:05
TheBronx	the attack succeeds even with apache stopped	19:05
escott	TheBronx, destination cache (ie routing table)	19:06
TheBronx	where can I increase the size of that table?	19:06
TheBronx	I have 8GB of RAM, only using about 2GB	19:06
escott	TheBronx, http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html	19:06
TheBronx	it that table is stored in memmory I don't care	19:07
TheBronx	ok, thanks!	19:07
Flavr	try ? /proc/sys/net/ipv4/tcp_syncookies = 1	19:07
sarnold	escott: excellent.	19:07
Flavr	oh	19:07
Flavr	:d	19:08
TheBronx	sysctl.conf -> http://pastebin.com/HUk0RVip syn cookies already enabled	19:08
TheBronx	I will read the article, thanks escott	19:08
TheBronx	Which Linux version resolves this issue?	19:15
TheBronx	This issue is resolved in Linux 2.4.21.	19:15
TheBronx	really? xD	19:15
sarnold	I wouldn' be surprised if an updated version of the attack has been made	19:16
sarnold	since 2003 or 2004 (when that paper was written) the hash functions in common languages have been forced through several iterations	19:17
sarnold	perhaps the kernel's dst cache hash function needs another re-work	19:17
TheBronx	if I do understand it correctly the attack tries to provoke a collision in the routing table	19:18
escott	TheBronx, yes	19:19
TheBronx	a collision produces a dst cache overflow?	19:19
escott	TheBronx, hash tables reduce to linked lists when there is a collision	19:19
TheBronx	yeah, and the performance is reduced. but how about the overflow?	19:20
escott	TheBronx, so you collide and reduce to a linked list or fixed length array at which point it can either overflow or hit some performance limit	19:20
TheBronx	ok, so the linked list has in fact less capacity than the hash table	19:21
escott	TheBronx, its also possible that there is some other kind of overflow going on. if the kernel has a total size limit on the table you might just fill it by trying to make the entire IP space routable	19:21
TheBronx	is it possible to disable route cache under a DDoS so that there is no overflow, collision or whatever?	19:23
TheBronx	cat /proc/sys/net/ipv4/route/max_size	19:24
TheBronx	4194304	19:24
TheBronx	seems big... isn't it?	19:24
escott	TheBronx, thats probably in bytes	19:25
escott	TheBronx, which is only 4Kb so one page... ie not that large	19:25
TheBronx	I have no idea, but the article says: "echo 4096 > /proc/sys/net/ipv4/route/max_size"	19:25
TheBronx	so, option 1, reducing the size to avoid collisions. option 2, increase the size to avoid overflow	19:26
escott	TheBronx, if you did that echo from a root terminal you would set the max_size to 4Kb and then you would see that file output a size of 419434 bytes	19:27
TheBronx	oh. ok, newbie fails hehe	19:27
escott	TheBronx, reducing the size would increase collisions. for reference mine is 8Kb	19:27
escott	TheBronx, and thats Linux HAF-UBUNTU 3.5.0-21-generic #32-Ubuntu SMP Tue Dec 11 18:51:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux	19:27
TheBronx	so, increasing the size can help. They will attack again and I will see if that helped	19:29
escott	TheBronx, you could also decrease the timeout/increase the frequency with which the GC runs	19:31
TheBronx	how can I do that? sorry but I'm not a linux expert (not even close)	19:32
escott	TheBronx, the other tunables for the routing cache are in that same folder	19:33
escott	TheBronx, best thing to do is to figure out a way to block the attacks. everything else is just papering over the issue	19:33
TheBronx	when CSF blocks an IP, does it delete the entry in the routing table?	19:34
escott	TheBronx, presumably not, but after some time it should get purged from the table	19:36
RoyK	Flavr, sarnold: for those tcp_syncookies to be persistent, use sysctl	19:37
TheBronx	yeah, but I don't know what shoud I put in sysctl, 4096?	19:39
RoyK	btw, tcp_syncookies are on as of default on 12.04 and 10.04	19:39
TheBronx	net.ipv4.route.max_size = 4096?	19:39
escott	TheBronx, that sounds like what you currently have. so setting that value wouldn't change it	19:40
RoyK	TheBronx: what routing protocols do you use?	19:40
TheBronx	error: technical question :P sorry, how can I answer that RoyK?	19:41
TheBronx	oh, and hi RoyK!	19:42
RoyK	ho	19:42
TheBronx	tcpdump capture during the attack: http://i.imgur.com/aZl21.png	19:42
TheBronx	net.ipv4.route.max_size = 16384 then, x4	19:42
TheBronx	those are spoofed ips?	19:43
RoyK	TheBronx: that's a truckload of SYNs - I doubt the route settings will help much - SYNs aren't put in routing tables, are they?	19:43
escott	TheBronx, they are just progressing through 204.253 why not block that subnet	19:43
RoyK	ufw block ...	19:44
=== slank is now known as slank_away
TheBronx	this is not the only block xD those are just a few packets	19:44
TheBronx	there are a lot of blocks, very different	19:44
TheBronx	SYNs are blocked by CSF, but the problem is that the network crashes due to the dst cache overflow	19:45
RoyK	TheBronx: you're getting DDoSed	19:45
RoyK	you can't block SYN alone	19:45
RoyK	that'll stop all TCP traffic	19:45
TheBronx	these options were not in sysctl during the attack:	19:47
TheBronx	# Enable IP spoofing protection, turn on source route verification	19:47
TheBronx	net.ipv4.conf.all.rp_filter = 1	19:47
TheBronx	net.ipv4.conf.lo.rp_filter = 1	19:47
TheBronx	net.ipv4.conf.eth0.rp_filter = 1	19:47
TheBronx	net.ipv4.conf.default.rp_filter = 1	19:47
RoyK	!pastebin	19:47
ubottu	For posting multi-line texts into the channel, please use http://paste.ubuntu.com \| To post !screenshots use http://imagebin.org/?page=add \| !pastebinit to paste directly from command line \| Make sure you give us the URL for your paste - see also the channel topic.	19:47
RoyK	TheBronx: http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/	19:47
addisonj	someone piss of 4chan? ;)	19:47
RoyK	read this yet?	19:47
TheBronx	nope, thanks!	19:48
TheBronx	cat /proc/sys/net/ipv4/route/max_size	19:48
TheBronx	16384	19:48
TheBronx	oops, unit problem hehe	19:49
TheBronx	routing table cache increased (x4) and sysctl is much more complete now	19:51
TheBronx	lets see what happens in the next attack	19:51
TheBronx	I don't know if CSF can ban entire blocks if it finds lets say 3 or 4 very similar IPs	19:51
RoyK	CSF?	19:53
TheBronx	iptables for newbies hehe	19:53
RoyK	not ufw?	19:53
TheBronx	I have to leave, thank you guys again. RoyK, sarnold. Thank you, really, I'm learning a lot and I'm not thinking of killing people =)	19:54
sarnold	TheBronx: good luck :)	19:54
sarnold	TheBronx: oh!	19:54
sarnold	TheBronx: wait1	19:54
TheBronx	yes?	19:55
sarnold	TheBronx: the point of the article escott found was to _lower_ the size of the dst cache, to reduce the expenses of every incoming packet	19:55
TheBronx	yeah, thats what I understood at first	19:55
TheBronx	but dont worry, if increasing doesnt work, I will try the oposite hehe	19:55
RoyK	just decrease it ;)	19:56
TheBronx	(i don't think the attack is that sophisticated, collisions... it is probably a bored kid)	19:56
TheBronx	have to leave now, thank you again!!!!!!!!!!!	19:56
Flavr	hey yaa	20:06
Flavr	can some one tell me clear out about big data	20:06
Jeeves_	Flavr: Take a byte. Copy it a gazillion times	20:07
Jeeves_	and you have big data. PROFIT!	20:07
RoyK	Flavr: what?	20:07
Flavr	hmm	20:07
RoyK	what about big data?	20:08
Flavr	I am just thinking cause they are looking alot big data spealists	20:08
Flavr	Would like to learn more	20:08
RoyK	well, I'm managing a few hundred terabytes	20:08
RoyK	I'd rather do it on zfs than on what we're using now, but still	20:08
Flavr	okey can you tell me litle more about it... I know basics about lamp stack... so maybe if i understand ?	20:09
escott	Flavr, read the original mapreduce paper	20:09
escott	Flavr, http://fastandfuriousdecisiontree.googlecode.com/svn-history/r474/trunk/DIVERS/mapReduceByGoogle.pdf	20:09
Flavr	thanks i will read it out	20:10
escott	sarnold, i didn't actually read that link (perhaps I should have) just seemed that it would explain what the dst cache was	20:10
sarnold	escott: it did, and gave good advice on mitigation :) it even seemed familiar to my eight-year-old-neurons which might have read it once before.. :)	20:11
adam_g	zul: im still confused about the openstack master tarballs. if the per-commit tarballs are going away, what does the $proj-master.tar.gz represent?	20:12
RoyK	Flavr: it's just mysql (or postgres?) and apache (or something?) with php	20:12
RoyK	Flavr: it's nothing magic about it	20:12
zul	its the same thing just not versioned	20:13
Flavr	na i am just thinking why hell they got somany place open...	20:13
Flavr	if its just some basic...	20:13
RoyK	Flavr: what do you want to know?	20:13
RoyK	mysql and linux and php and apache are all open	20:14
Flavr	Yep so what is the big deal in hadoop ? :o	20:14
RoyK	so are postgresql and a diverse set of other webservers	20:14
Flavr	Can anyone install it on anykind server ?	20:14
escott	Flavr, hadoop/mapreduce are very different from SQL/traditional RDBMS	20:14
RoyK	hadoop is another thing	20:14
Flavr	hmm :o... any kind books out there ? :o about hadoop and big data ?	20:15
RoyK	Flavr: what are you building?	20:15
Flavr	I am looking for job	20:16
escott	Flavr, when people talk about big data they usually mean that they are willing to sacrifice something in the traditional relational database in order to get decent performance when working with very large datasets	20:16
RoyK	heh	20:16
Flavr	as "big data " specialist lol	20:16
RoyK	Flavr: you don't become a "big data" specialist until you've actually worked with big data	20:16
Flavr	yep thats why I think how i could get in tho that...	20:16
escott	Flavr, usually consistency is relaxed in favor of something like eventual consistency	20:16
RoyK	theory you can learn, but all sort of shite come up later	20:16
Flavr	what they mean with data crafting / mining ? :o	20:17
escott	Flavr, mapreduce drops the SQL type query processing for something more limited but more scalable	20:17
Flavr	sounds like wow game lol..	20:17
Flavr	so i need hadoop and some kind map /reduce program	20:19
Flavr	lol	20:19
Flavr	need set up vps server and get in to it	20:19
sarnold	or just do it on your laptop	20:19
Flavr	sarnold tip me out litle bit ? :o	20:19
Flavr	so ineed hadoop what else ? :O	20:20
sarnold	Flavr: a way to generate huge piles of nonsense data to work with :)	20:20
Flavr	oh i see..	20:20
Flavr	awesome that we got community that helps out..	20:21
Flavr	lol	20:21
addisonj	Flavr: why don't you just google "hadoop tutorial" or "hadoop for dummies" and see what comes up?	20:22
Flavr	haha thanks :)	20:22
Flavr	omg some indian guys.. that why.... so messy http://www.youtube.com/watch?v=ziqx2hJY8Hg	20:23
Flavr	45 minutes...	20:26
Flavr	omg	20:26
jiboumans	smoser: if you're around, I could use your wisdom on building AMIs. I'm building a new AMI from the ubuntu stock 10.04 one, and oddly enough, the ephemeral hard drives are getting remapped and I can't quite figure out how to fix that.	20:35
smoser	remapped ?	20:35
RoyK	Flavr: really - learn basic administration, learn that well, then, after a years of practice, you may learn enough to learn large systems	20:36
jiboumans	smoser: they're /dev/sd* on the machine i'm building from, but upon boot, they're /dev/xvd*	20:36
jiboumans	(upon boot of the new ami)	20:36
jiboumans	smoser: using ec2-bundle-vol -B … ephemeral0=sdb makes fstab have the '/dev/sdb' entry, but upon boot, the devices are still /dev/xvd*. setting ephemeral0=xvdb throws this error when registering the ami: Client.InvalidManifest: Invalid block device mapping: Invalid device name 'xvdb'	20:37
=== Tribaal_ is now known as Tribaal
jiboumans	interestingly enough, the non-ephemeral drives are /dev/sda* no matter what.	20:38
smoser	jiboumans, it just has to do with the kernel	20:39
smoser	xen is stupid	20:40
jiboumans	smoser: hmm, that rings a bell - i think the ami host has an updated kernel, but did not reboot (yet).	20:40
smoser	the kernel you're booting names those devices xvd*	20:40
jiboumans	that might cause the confusion there...	20:41
jiboumans	smoser: for my understanding, how come there's still /dev/sda* on the newly booted machine?	20:41
smoser	it jsut depends on the kernel	20:44
smoser	maybe its running an older kernel?	20:44
resno	hey yall question. whats the most lean version of ubuntu to use in a vm enviroment?	20:44
jiboumans	smoser: actually, the point of the ami is to update the stock kernel (and some other stuff), so it runs: 2.6.38-16-virtual #67~lucid1-Ubuntu SMP x86_64	20:46
smoser	i dont follow. at some point in lucid-updates the kernel changed its naming for /dev/sd[x] to /dev/xvd[x] (i think)	20:47
jiboumans	so, the ami-builder host is running stock 10.04, just as you released the image. the ami i'm trying to build installs some stuff by default, including an updated kernel (the one i just pasted above). one of the side effects appears to be that /mnt is no longer mounted, because the device names changed.	20:49
jiboumans	i (wrongly) assumed it had to do with the flags one passed to ec2-bundle-vol	20:49
smoser	its possible its a bug in cloud-init in lucid that doesn't realize that new name	20:50
jiboumans	if cloud-init intends to alter the fstab based on the devices detected, then yes, it doesn't do that	20:51
jiboumans	the fstab is identical to what was shipped from the builder	20:52
smoser	jiboumans, ah. ok so it makes more sense now.	20:54
smoser	you're wanting to run some > lucid kernel, right?	20:54
jiboumans	yup	20:54
wdev	As per the directions on the Ubuntu Kerberos docs, I'm here out of some level of desperation. Has anybody set up a KDC on 12.04?	20:55
=== slank_away is now known as slank
smoser	jiboumans, it is bug https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/611137	20:57
uvirtbot	Launchpad bug 611137 in cloud-init "cc_mounts may need to translate device names for xvda or virtio" [High,Fix released]	20:57
smoser	http://paste.ubuntu.com/1517992/ is the commit, jiboumans	20:58
jiboumans	smoser: thanks. did that ever make it to lucid-updates?	20:59
smoser	no.	21:00
smoser	but you could nominate for release, and i do the work and i'd sponsor the upload for you	21:00
=== shanemeyers_ is now known as shanemeyers
jiboumans	smoser: ah, missed that comment. that'd be fine by me, but i don't think i have the permission to nominate that bug in LP	21:17
SpamapS	smoser: hey, do Ubuntu's cloud images no longer inject a bunch of static randomness into the entropy pool?	21:17
SpamapS	jiboumans: o/	21:18
jiboumans	SpamapS: o/	21:18
jiboumans	long time no see	21:18
smoser	jiboumans, you can probably nhominate you just can't accept	21:18
smoser	SpamapS, i dont think they ever did inject static randomness.	21:19
smoser	but a static randomness stored inside in a public image is quite arguably no better than no randomness.	21:19
SpamapS	smoser: its faster.. but definitely no better. ;)	21:20
jiboumans	smoser: are we talking about the same? I dont have a nominate link on the bug page, and adding the +nominate to the url (hax!) gives me permission denied :)	21:20
SpamapS	as in, things that want randomness won't block	21:20
SpamapS	smoser: http://www.slideshare.net/astamos/cloud-computing-security suggests there is something like that in practice, on slide 66	21:20
jiboumans	oh and smoser, i've been meanign to ask, what's the clean way to re-run all of cloud-init after the machine has booted (for debugging/testing purposes)?	21:22
smoser	jiboumans, you're logged in ?	21:22
jiboumans	smoser: yes	21:22
smoser	i'll nominate then	21:22
jiboumans	thanks.. odd though	21:23
smoser	strange though i thought anyone could nominate	21:23
smoser	and only certain could accept	21:23
jiboumans	i logged out, nominate link /is/ there, i click it, asks for log in, and then i get permission denied	21:23
jiboumans	smoser: that's how i remember it too	21:23
smoser	SpamapS, i'mn not sure if that file is "" or not	21:24
smoser	it doesn't matter	21:25
smoser	its the same really.	21:25
smoser	on reboot, you do get it.	21:25
smoser	and SpamapS https://review.openstack.org/#/c/14550/ is quite relevant	21:25
smoser	(although cloud-init doesn't use it yet)	21:25
jiboumans	smoser: thanks for the nomination.	21:34
jiboumans	oh and smoser, i've been meanign to ask, what's the clean way to re-run all of cloud-init after the machine has booted (for debugging/testing purposes)?	21:34
smoser	lusid is old... i'm not sure :)	21:35
smoser	but i usually do:	21:35
smoser	rm -Rf /var/lib/cloud-init && reboot	21:35
smoser	or somethign to that extent. its not purely idempotent, but not far off.	21:35
jiboumans	smoser: i particularly want to see what it's doing while it's doing it, without rebooting if possible	21:36
jiboumans	is there anyway?	21:36
smoser	ah. yeah.	21:36
smoser	just look in /etc/init and run the same stuff upstart would run	21:36
Debs	Hi! I'm a bit confused following a manual whilst setting up bind9 on an Ubuntu server. I'm creating the zone file and am wondering about this line -> '@ IN SOA ns.example.com. root.example.com. ('. The hostname of the server is rs-01.exp.com, do I put this where 'ns.example.com' is, or do I put ns.exp.com?	21:36
Debs	I'm setting up as a Master.	21:36
jiboumans	smoser: i'm taking the rm -rf is the key part there to have it re-run its steps right?	21:36
Debs	Any help?	21:41
=== slank is now known as slank_away
Debs	Hi! I'm a bit confused following a manual whilst setting up bind9 on an Ubuntu server. I'm creating the zone file and am wondering about this line -> '@ IN SOA ns.example.com. root.example.com. ('. The hostname of the server is rs-01.exp.com, do I put this where 'ns.example.com' is, or do I put ns.exp.com?	21:51
Debs	I'm setting up as a Master.	21:51
=== slank_away is now known as slank
RoyK	Debs: try #bind	21:59
Debs	I did, RoyK. It's dead in there :(	21:59
RoyK	perhaps people are sleeping	22:00
SpamapS	Debs: crazy thought: BIND is really antiquated.. unless you intend to become a DNS guru, there's no point in learning the ins and outs. I recommend using an online DNS service provider.	22:03
Debs	SpamapS: It's just a thing that I want to do, and then I'll probably never do it again.	22:04
Debs	SpamapS: I just can't figure out if I put ns.domain.com, or server1.domain.com there, for e.g	22:04
Debs	Both point to the same IP	22:04
SpamapS	Debs: ns.example.com should be the name of the server where you want people to check as "the ultimate authority" for the domain.	22:05
SpamapS	Debs: I'd do ns.domain.com .. but it actually doesn't matter	22:06
SpamapS	Debs: its mostly informational	22:06
SpamapS	Debs: http://www.zytrax.com/books/dns/ch8/soa.html	22:07
SpamapS	good explanation	22:07
Debs	SpamapS: Just on the Ubuntu docs, it says to put the FQDN of the server where ' ns.example.com. ' is in the example. The FQDN is rs-01.domain.com	22:07
Debs	ns.domain.com points to the same place as rs-01.domain.com though	22:07
Debs	So put ns., right?	22:07
SpamapS	Debs: as that link says, it really doesn't matter if you're not using DDNS (as its where writes go).	22:09
sarnold	heh, that field predates ddns by, what, two decades? :) Is it really that useless?	22:10
SpamapS	sarnold: useless? no, but matters to somebody who isn't running ddns and doesn't care about becoming a DNS guru, no.	22:12
SpamapS	Its basically only useful when you're wondering what the "primary master" is.	22:13
sarnold	aha	22:13
sarnold	thanks SpamapS :)	22:13
SpamapS	also if its a private domain, not in a whois server, is can be helpful	22:13
=== slank is now known as slank_away
=== cpg\|away is now known as cpg
segv	heyo	23:40
segv	Hey guys quick question	23:41
segv	so with MaaS I keep getting tftp to connect, and i get the request from pserv (maas)	23:41
segv	just times out almost instantly though, any of you ever experience that?	23:41
segv	Got some cisco gear in between with trunked vlans over to a cage (that may be causing this)	23:41
bigjools	request from pserv? pserv is the tftp server	23:42
bigjools	can you paste a relevant log part	23:43
segv	yeah	23:43
segv	https://gist.github.com/105c29324c42cc24f201	23:44
segv	if I tftp it from my client, I can get to it okay and pull the same file	23:45
segv	~.	23:48

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!