/srv/irclogs.ubuntu.com/2013/03/15/#ubuntu-server.txt

qman__	I think I'm running into bug 633392	00:00
uvirtbot	Launchpad bug 633392 in linux "Bridged Guests losing network connectivity" [High,Expired] https://launchpad.net/bugs/633392	00:00
qman__	unfortunately it went unresolved	00:00
qman__	I'll try unbonding and see if it solves the problem	00:00
qman__	yep, it did	00:05
qman__	so I guess bonding + bridging + kvm is broken	00:05
patdk-lap	can't say I ever joined bonding + bridging	00:06
qman__	bonding + bridging works great on the host OS	00:06
qman__	it just breaks stuff with the KVM guests	00:07
qman__	not sure where the fault is	00:07
patdk-lap	bonding and bridging on the host and normal nic on kvm guest?	00:07
qman__	yes	00:07
qman__	both normal nic and a guest with a bridge	00:07
qman__	same thing happens to both guests	00:08
patdk-lap	and firewall rules on the host?	00:08
qman__	accept all	00:08
qman__	it just has the normal KVM stuff	00:09
qman__	or libvirt	00:09
qman__	or whatever puts it in there	00:09
patdk-lap	just thinking :) I normally put a firewall on the host	00:09
qman__	yeah, this is all externally secured	00:09
RoyK	bonding on the host, not the guest?	00:10
qman__	yes	00:10
RoyK	what sort of bonding?	00:10
qman__	balance-rr	00:11
qman__	I don't have smart hardware	00:11
qman__	unmanaged switch, two different types of NIC	00:11
RoyK	bonding to a single switch?	00:11
qman__	yes	00:11
RoyK	then why not LACP?	00:12
RoyK	should work well	00:12
RoyK	perhaps not to a dumb switch, though	00:12
qman__	yeah, I don't think I can	00:13
qman__	I just wanted to try and squeeze some more bandwidth out of it	00:13
qman__	it's not critical, just annoying that it's broken	00:13
RoyK	get a good switch	00:13
RoyK	well, file a bug report	00:13
RoyK	if enough users/developers think it's a problem, it'll be solved	00:14
MraAlbertina	hi. could you please help me sonve this issue; "perl: warning: Setting locale failed." Pastebin: http://pastebin.com/p3N17prX	00:26
MraAlbertina	sonve/solve..	00:27
sarnold	MraAlbertina: 'locale -a' will show you the installed locales on your system	00:28
sarnold	MraAlbertina: I guess one of your locale variables there is not one of the legal values reported by locale -a	00:28
MraAlbertina	wow... i need to discover where that is	00:29
MraAlbertina	sarnold: i have a C and C.UTF-8 after 'locale -a' everything else seems ok (all en_**.utf8)	00:30
MraAlbertina	i have no clue where that C is coming from. might that be the problem?	00:31
sarnold	MraAlbertina: "C" is the safe fallback :)	00:32
MraAlbertina	oh	00:32
MraAlbertina	oh, another entry i have is POSIX, besides that C and all en*	00:32
MraAlbertina	is it possible to reconfigure locale, in a quick fix, sarnold ?	00:35
qman__	pretty sure this one is the problem: LC_ALL = (unset),	00:35
MraAlbertina	because everything seems ok, with locale -a	00:36
qman__	there's a dpkg-reconfigure you can do to set the locale	00:36
qman__	I can't remember which package though	00:36
MraAlbertina	i saw that LC_ALL = (unset) somewhere	00:37
qman__	related: http://ubuntuforums.org/showthread.php?t=1720356	00:37
qman__	shows three methods to fix, in the order you should try them	00:37
MraAlbertina	oh, ya, on the first "warning" i got, in the pastebin	00:37
MraAlbertina	LC_ALL = (unset),	00:38
MraAlbertina	okay, thanks so much qman__	00:38
MraAlbertina	thanks sarnold	00:39
sarnold	MraAlbertina: what fixed it? :)	00:39
MraAlbertina	going for a reboot after editing /etc/environment and i'll tell you :)	00:40
MraAlbertina	sarnold: adding: LC_ALL="en_GB.utf8" -to- /etc/environment and rebooting solved it	00:44
sarnold	MraAlbertina: excellent :) thanks	00:44
MraAlbertina	thanks for discovering that qman__	00:44
patdk-lap	isn't bond-mode balance-tlb going be better than balance-rr?	01:10
patdk-lap	balance-rr when using a single switch, can cause out of order packets	01:10
patdk-lap	that might be your issue	01:10
patdk-lap	the other one, balance-a?? can cause issues with devices that depend on the mac being static (cable modems, some switchs management interface, basically anything using mac for a security cookie)	01:12
sarnold	qman__: ^^^	01:12
qman__	while that's possible I don't think it's the problem at hand, when watching a tcpdump, the arp requests go through the bridge and get back to my host, but simply don't get to the guests, most of the time	01:12
qman__	and the host has no issues at all communicating with the rest of the network over the bridge on the bond	01:13
patdk-lap	ya, I imagine the balance-rr issue will be more if you load the interfaces up good	01:14
patdk-lap	I believe I have seen that arp issue before	01:14
patdk-lap	but it's been awhile	01:14
qman__	likewise, real hosts on the LAN can reach the guests just fine, it only applies to the guests trying to initiate	01:15
patdk-lap	I've defently seen that before	01:16
patdk-lap	but totally can't remember what it was	01:16
patdk-lap	I don't use kvm, but used to use xen with bridges like that	01:16
autoditac	hey everyone. is this the right channel to ask questions regarding nfs on ubuntu?	01:40
autoditac	i' d be glad if someone could give me a hint regarding posix acls and nfs4 on ubuntu.	01:41
autoditac	question is: will posix acls be applied if i access a ext3 filesystem with heavy usage of acls using nfs 4 without using kerberos? i have the same userbase both on the client and the server (LDAP)	01:44
xnox	yes, but they will be able to bypass it, if they have root on the client.	01:44
autoditac	hi, xnox :)	01:45
autoditac	xnox, users don't have root access on the client. furthermore, no_root_squash is not set	01:46
autoditac	i was just wondering if the nfs4 acls and posix_acls map and if the acls get enforced on the server or on the client side?	01:48
patdk-lap	enforced on the client	01:50
buengenio	guys, can somebody please recommend a shared calendar server/service?	02:02
patdk-lap	gmail?	02:02
resno	buengenio: google calendar?	02:02
* resno highfives patdk-lap		02:02
patdk-lap	just dunno what a shared calendar server/service is	02:03
patdk-lap	like a community calendar? a wordpress plugin?	02:03
buengenio	no, like a caldav	02:03
patdk-lap	or like exchange/outlook? a webmail thing?	02:03
patdk-lap	isn't caldav a protocol?	02:03
buengenio	exchange/outlook type of thing but that can work with Outlook/Thunderbird/Mail, etc....	02:03
patdk-lap	heh?	02:03
sarnold	good luck with outlook :/	02:04
patdk-lap	outlook does it's own thing	02:04
holstein	you can use google cal with those	02:04
buengenio	I'd love to say that to our boss	02:04
patdk-lap	and last I knew thunderbird and that doesn't support calanders	02:04
resno	im still suggest google calendar	02:04
patdk-lap	buengenio, install exchange	02:04
buengenio	no thank	02:04
buengenio	no thanks	02:04
resno	can you even install exchange in linux?	02:04
sarnold	buengenio: iirc there's a horrible plugin thingy for outlook to make google calendars work there. I'm sure they did their best, but I don'tthink outlook was meant to have plugins. so.	02:04
buengenio	but boss is sticking with Outlook till dies irae	02:04
patdk-lap	I run exchange 2010 currently, not a big deal	02:05
patdk-lap	buengenio, next best thing, outlook365 :)	02:05
buengenio	isn't there something OSS?	02:05
buengenio	standards based	02:05
buengenio	that works everywhere?	02:05
patdk-lap	there are standards?	02:05
sarnold	buengenio: it's the "works everywhere" that fails, outlook doesn't want to play that game.	02:06
patdk-lap	outlook has no standards, atleast till outlook 2013, then it can use activesync	02:06
sarnold	buengenio: and iirc nothing else really speaks exchange	02:06
sarnold	(client-side)	02:06
holstein	owncloud	02:06
patdk-lap	I guess you could install horde webmail, setup activesync, then use outlook2013	02:06
patdk-lap	I have not tested that though	02:06
resno	theres zimbra	02:07
resno	zimbra the paid versoin speaks it	02:07
patdk-lap	there is always openchange	02:07
patdk-lap	no idea how well that works	02:07
sarnold	buengenio: I've heard good things about http://en.wikipedia.org/wiki/Open-Xchange but never used it myself	02:07
shauno	I'd be wary of google calendar, their caldav access is on the chopping board	02:11
buengenio	Their biggest problem is that adding event invitations sent to a non GMail address doesn't work	02:12
buengenio	At least in Thunderbird	02:12
patdk-lap	heh?	02:12
buengenio	which is what almost everyone uses at the office	02:12
resno	if you had users comfortable with ftp, how would you allow them to upload their files?	02:17
resno	whats a resonable alternative or a secure ftp server?	02:18
sarnold	resno: I'd get them comfortable with sftp right quick.	02:19
patdk-lap	there is no difference between ftp and sftp these days to a user	02:19
sarnold	except no more baffling image vs text or pasv vs active :)	02:20
patdk-lap	hmm, most programs hide that too :)	02:20
patdk-lap	just when it won't work, do you have to deal with it :)	02:20
sarnold	:D	02:21
patdk-lap	like my friends router that messed up active ftp :)	02:21
resno	is sftp that much improved over ftp?	02:21
patdk-lap	resno, yes and no	02:22
resno	im sure the "s" brings secure, but is it night and day	02:22
patdk-lap	personally I hate sftp	02:22
resno	i hate s/ftp	02:22
patdk-lap	but it uses a single connection, unlike ftp, fixing nat issues	02:22
patdk-lap	and it uses ssh	02:22
patdk-lap	so it just works better :)	02:22
resno	oh?	02:22
resno	so, i wouldnt need an ftp server?	02:23
patdk-lap	depends	02:23
patdk-lap	most ftp servers these days support sftp too	02:23
resno	you give me hope and then snatch it away	02:23
patdk-lap	but give you more control than ssh will give you for sftp	02:23
patdk-lap	all depends on what goal you have	02:23
patdk-lap	use ssh for both	02:24
patdk-lap	or use like proftpd for sftp	02:24
patdk-lap	I think pure-ftp does it too now, but haven't checked	02:24
resno	theres 3 main ftp servers right?	02:24
patdk-lap	what is main?	02:24
resno	uhm	02:26
resno	ill look into proftpd	02:26
resno	ive managed to avoid ftp being installed, so i want to make sure its all good and secure	02:26
patdk-lap	there is one issue with that :)	02:27
patdk-lap	you can't have both proftpd and ssh both listening on port 22 (I believe, maybe they did a passthough thing?)	02:27
patdk-lap	so you would have to move normal ssh to another port	02:27
resno	you cant have proftpd listen on another port as well?	02:28
resno	seems like a reciepe for disater	02:28
patdk-lap	if you have it listen on another port, it will confuse users	02:28
patdk-lap	when they use the default port :)	02:28
sarnold	man, i'd so much rather just rely on sshd to do sftp rather than get one of the ftpd servers involved.	02:28
patdk-lap	sarnold, like I said it depends :)	02:29
patdk-lap	the ftp server has more control, than ssh gives you per user	02:29
patdk-lap	and personally, I love file upload notifications	02:29
patdk-lap	so I can realtime scan and check files people upload	02:29
resno	patdk-lap: do you do that even for trusted users? ie) coworkers	02:30
sarnold	something that'd be annoying to put together with imcron and sshd over a few thousand users :)	02:30
resno	i dont know your enviroment	02:30
patdk-lap	trusted users? those exist?	02:30
patdk-lap	anyones account could be compromised	02:30
resno	true	02:30
resno	hmm, i didnt think of that actually	02:30
=== VD is now known as Guest32085
=== freeflyi1g is now known as freeflying
=== smb` is now known as smb
jamespage	yolanda_, https://code.launchpad.net/~james-page/python-quantumclient/grizzly-2.2.0/+merge/153512	09:36
jamespage	when you get a chance please :-)	09:36
yolanda_	jamespage, meeting	09:36
jamespage	yolanda_, (I know :-))	09:37
nailora	sarnold: i found this https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1008400	09:54
uvirtbot	Launchpad bug 1008400 in linux "Ubuntu server uses CFQ scheduler instead of deadline" [Medium,In progress]	09:54
yolanda_	jamespage, i'm looking the code at the diff, i see that in changelog * debian/control: Set version minimum for python-cliff (>= 1.3.1).	10:00
yolanda_	but i don't see that reflected in the diff, is that from a previous commit?	10:00
jamespage	yolanda_, yeah - it needed a tweak in the changelog to drop the ~	10:21
jamespage	as changelog and change did not actually match	10:21
yolanda_	approved it	10:22
jamespage	bug 1155556	11:39
uvirtbot	Launchpad bug 1155556 in maas "HP ProLiant DL380 G7 tftps kernel, but initrd tracebacks in tftp server. DL380 G6 succeeds." [Undecided,New] https://launchpad.net/bugs/1155556	11:39
jamespage	adam_g, reviewed and uploaded to folsom CA	11:45
jamespage	adam_g, I swept that and the django fix through to -updates	11:45
smoser	roaksoax, jamespage woot, isc-dhcp in raring with our no maas no-uuid patch.	12:15
smoser	er.. what ever that patch was. thansk to stgraber	12:15
jamespage	smoser, great!	12:15
roaksoax	smoser: nice!!	12:43
smoser	roso i guess actualy, in raring you should modify maas to use that.	12:44
smoser	in its default config.	12:44
zetheroo	got a couple ubuntu servers both running 12.04.2 here ... one looks like this when logged in "[root@mars ~]#" while the other looks like this "root@saturn:~#" ... why does mars have those brackets ?	13:02
patdk-wk	probably cause of the shell your using	13:03
zetheroo	I am accessing them both through the same terminal via ssh ...	13:04
zetheroo	all servers are using bash shell	13:07
zetheroo	weird ... I closed the saturn session and reopened it and now saturn has those brackets ... [root@saturn ~]#	13:08
jamespage	adam_g, http://people.canonical.com/~jamespage/ca-updates/	13:26
jamespage	quantumclient and new version of python-django-compressor for horizon	13:26
crankharder	what is it about this builder command that I can't ssh or telnet into the host once it's built & started? https://gist.github.com/crankharder/c0063a365996f90b170c	13:33
ttx	jamespage: cinder milestone-proposed cut	13:39
jamespage	ttx, ta	13:39
* jamespage switches configs		13:39
soren	Daviey: There's a question for you(r team) in my post to the tb mailing list earlier today. Would you mind (having one of your minions) taking a look?	13:51
=== wedgwood_away is now known as wedgwood
Daviey	soren: I am the minion to the cretins. :)	13:57
soren	Daviey: That's the spirit.	13:59
Daviey	soren: I'll reply to that.. just not right now. Thanks for raising it	13:59
soren	Daviey: By extension, is... err.. Rick Spencer your minion?	13:59
Daviey	soren: The higher you go, the least important you become.. so yes :)	14:00
Daviey	I say jump. and he says,	14:01
Daviey	"your're fired"	14:01
pmatulis	hmph, on quantal (at least) i see that 'deluser --remove-home' does not remove the home directory, just the files	14:05
Croves	Hello guys! I'm trying to install Ubuntu Server 12.04 i386 on a XenServer Virtual Machine, but when I try to install the sistem, I get this error: "Your installation CD-ROM couldn't be mounted. This probably means that the CD-ROM was not in the drive. "	14:12
Croves	Any idea?	14:12
saki`	hi ho	14:18
saki`	i was wondering	14:18
saki`	if i could run an ubuntu server OS off a live usb?	14:18
melmoth	saki`, http://en.wikipedia.org/wiki/Ubuntu_Live_USB_creator	14:21
crankharder	what is it about this builder command that I can't ssh or telnet into the host once it's built & started? https://gist.github.com/crankharder/c0063a365996f90b170c	14:23
Croves	Anyone here is familiar with XenServer?	14:23
saki`	thanks melmoth	14:29
saki`	maybe i should mention	14:29
saki`	i'm going to be trying to run this off it: http://www.sourcefabric.org/en/airtime/download/	14:29
melmoth	saki`, the usb creator thingy let you have a "stat" in your live usb system. wich means, any change you make, will be there after a reboot.	14:31
melmoth	so you can apt-get install or compile stuff you need, and they will be available on the usb stick.	14:31
melmoth	all you need is... space on the key.	14:31
saki`	okay cool, so a persistent install or whatever yeah?	14:32
saki`	thanks melmoth.	14:32
melmoth	indeed.	14:32
melmoth	when you create the key, you have an option about "casper", that s the persistant stuff	14:32
melmoth	basically, it ask you how much space you want to allocate to the persitsant storage (if i understand correctly)	14:33
saki`	ah ok	14:33
melmoth	i dont kow the details, i just know it "just worked" last time i needed it	14:33
saki`	hmm this seems to require me to compile it somewhere. if this works let me try and use a windows based installer instead.	14:34
saki`	as in, if it works anyway	14:34
saki`	you wouldn't happen to know of one would you melmoth? the only one i know of is YUMI, and that's for multiboot stuff	14:38
melmoth	nope, sorry.	14:39
saki`	ah no worries	14:40
saki`	found one	14:40
zetheroo	in trying to setup glusterfs here I am running into this message and cannot seem to find a fix that works for me: /mnt/gluster or a prefix of it is already part of a volume	14:45
=== wedgwood is now known as wedgwood_away
=== wedgwood_away is now known as wedgwood
=== HappyLoaf is now known as Gemma-and-Sp00n
=== Gemma-and-Sp00n is now known as HappyLoaf
=== HappyLoaf is now known as Mr_Spock
=== Mr_Spock is now known as HappyLoadf
=== HappyLoadf is now known as HappyLoaf
hrenovo	so to add a rule with ufw I do something like this "ufw allow 8080" , now how can I delete this rule from showint up in "ufw status" ?	15:33
jpds	hrenovo: That's... not suppose to be done?	15:33
jpds	Why would you add a rule, then hide its existance?	15:34
hrenovo	if I no longer need it	15:34
hrenovo	not hide, just get rid of it	15:34
hrenovo	i gigured it out	15:34
hrenovo	its ufw delete allow 8080	15:34
hrenovo	like that	15:34
jpds	hrenovo: Ah, right. :)	15:38
fabiofranco	something weird is happening with my tomcat7 and mysql server. when I add firewall rules with iptables to open the port 8080 and 3306 and add the last rule dropping everything else the communication between tomcat7 and mysql just stops... any thoughts?	16:45
patdk-wk	fabiofranco, thoughts without seeing the rules?	16:57
fabiofranco	sure, I add: iptables -A INPUT -j ACCEPT -p tcp --dport 8080, iptables -A INPUT -j ACCEPT -p tcp --dport 3306 and finally iptables -A INPUT -j DROP -p tcp	16:58
fabiofranco	just those three... and after I add the last one the communication stops immediately	16:59
fabiofranco	I add the one open ssh too of course	16:59
qman__	you need to add rules to allow all traffic on the loopback interface	16:59
fabiofranco	qman__ example pls?	17:00
adam_g	jamespage, those 2 new CA updates LGTM	17:00
qman__	iptables -A INPUT -i lo -j ACCEPT	17:01
qman__	iptables -A OUTPUT -o lo -j ACCEPT	17:01
fabiofranco	qman__ i see.. gonna give a try	17:02
qman__	also, it's conventional to put the -j at the end of each line	17:03
qman__	not sure if it affects the rules	17:03
qman__	but if it does, your last rule could mean iptables -A INPUT -j DROP, which would certainly not be great	17:04
qman__	also, do you have rules for established traffic?	17:04
qman__	iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT	17:04
fabiofranco	no, I dont	17:05
qman__	you definitely need that too	17:05
fabiofranco	gonna apply it right now	17:05
jamespage	adam_g, great - ta	17:07
fabiofranco	qman__ do you think the last rule should be iptables -A INPUT -j DROP?	17:10
qman__	it can but that will break all icmp and udp traffic	17:12
qman__	so if you want any of either, make sure you allow it first	17:12
fabiofranco	qman__ I see... gonna try it	17:13
fabiofranco	qman__ it worked... thanks a lot	17:17
jamespage	adam_g, that horizon oddness with firefox is fixed with the new version of django-compressor	17:24
adam_g	jamespage, great	17:25
adam_g	jamespage, which projects are we waiting on for RC1?	17:25
jamespage	adam_g, most of them	17:25
adam_g	ah	17:26
jamespage	quantum and cinder have released rc1's	17:26
jamespage	I started on quantum	17:26
jamespage	but noticed the watch file does not work that well and got distracted....	17:27
jamespage	adam_g, MP for quantum rc - https://code.launchpad.net/~james-page/quantum/grizzly-rc1/+merge/153606	17:34
adam_g	jamespage, nice.	17:35
jamespage	adam_g, I think all the required deps are in the grizzly-staging PPA now	17:35
jamespage	there are a few catchups outstanding but nothing critical.	17:35
adam_g	jamespage, when i got online, saw a precise+grizzly test had just failed on volume creation. hope its something transient. :)	17:36
jamespage	adam_g, hmm - worked a few minutes ago - I'll try again	17:36
jamespage	adam_g, btw I'm working on a tool to make backporting easier	17:37
jamespage	ca-backport-package 'os_series' 'package' 'Comment for Changelog'	17:38
adam_g	jamespage, hah	17:38
jamespage	hopefully it will mean the only thing you can get wrong is the changelog comment :-)	17:38
adam_g	jamespage, i just did this yesterday http://paste.ubuntu.com/5617160/	17:38
jamespage	adam_g, lol	17:39
jamespage	great minds and all that	17:39
jamespage	we should consolidate stuff	17:39
jamespage	mines a bit more hacky write now	17:39
adam_g	jamespage, yeah, what are your thoughts on making this automated, in response to the version_drift failing?	17:39
jamespage	adam_g, I'd be up for that - I implemented the changes we discussed in the CA archive admin tooling to help support that today	17:40
jamespage	ca admins now get the change details so can choose to ignore things.	17:40
adam_g	jamespage, where do you envision the bot pushing the auto-built backports? straight to the staging PPA or somewhere for a human to do that?	17:41
jamespage	adam_g, cinder looks OK to me - http://paste.ubuntu.com/5617170/	17:41
jamespage	adam_g, I think step one would be to put it somewhere for a human to review, sign and upload	17:41
jamespage	adam_g, but so long as that proves reliable then full automation ++	17:42
adam_g	jamespage, thats what i was thinking. a staging-staging-PPA so we can ensure builds, as well	17:42
adam_g	need to step away. back in 10	17:43
jamespage	adam_g, yeah - one that inherits of the staging PPA would be neat	17:43
jamespage	hmm - that give me a thought	17:44
jamespage	we could just write a tool that pulls stuff from there, signs the packages and uploads them to the true staging PPA	17:44
jamespage	actually thats almost an extension of the tool I already wrote for syncs staging->proposed->updates	17:45
jamespage	adam_g, other thing I have been doing is switching the build configs from master -> milestone-proposed as the branches are cut	17:47
jamespage	done for cinder and quantum - ttx has been good at pinging me when that has happened	17:48
jamespage	adam_g, if you agree with the approach I took in the mysql charm re openstack-charm-helpers I'll add that to tha ha-helpers branch, re-sync swift-proxy and start working on keystone on monday	17:50
jamespage	I guess the unison helper could live in charm-helpers as well.	17:51
jamespage	And then we can write some unit tests.	17:51
jamespage	w00t	17:51
adam_g	jamespage, +1 to all that. do the branches that have a milestone-proposed also have havana version bump in master?	18:04
jamespage	adam_g, yes	18:04
jamespage	but due to the way we override the OSLO version number in the lab we don't get busted by that	18:04
jamespage	i.e. the release created is always 2013.1	18:04
jamespage	adam_g, OK - I have to go now	18:05
jamespage	adam_g, weekend and all that - I will check back in a bit later +3 hr	18:05
jamespage	ttfn	18:05
adam_g	jamespage, k, looking at the mysql stuff now. after we merge that i'll sync the helpers branch with those changes + anything else still pending	18:05
jamespage	adam_g, ahead of you - lp:~james-page/openstack-charm-helpers/ha-python-updates	18:06
jamespage	feel free to merge - I added headers over the mysql versions to tell people its part of openstack-charm-helpers	18:06
adam_g	doh! :)	18:06
HelloWorld321	I'm looking at a resolved help-forum post that seems similar to my problem (http://boards.portforward.com/viewtopic.php?f=3&t=9910&sid=201967eaaef5c2335ed22ea5a811c5d3&start=10) and I don't know what the poster means in his resolution: "I noticed that the net:bind_ip in utorrent was set to a different internal IP address than the static one assigned my computer, so I just cleared this, so the field was blank.". I'm not	18:35
HelloWorld321	What is net:bind_ip?	18:35
sarnold	HelloWorld321: you were cut off at "I'm not"	18:37
sw	HelloWorld321: net:bind_ip is the IP address that it binds too. from their website: net.bind_ip: If your computer setup requires that you use a specific LAN adapter for incoming connections, you may specify that adapter's IP address here.	18:37
sarnold	HelloWorld321: when a program listens on a socket, it binds a socket to a port on an IP	18:37
sarnold	HelloWorld321: the usual interface is, if no IP address is specified, bind that port on _all_ IPs the machine uses. If an IP is specified, then bind only on that IP, so other IPs on the machine don't expose the service -- or can run a different service.	18:39
HelloWorld321	thanks. so I can find that in netstat?	18:53
HelloWorld321	(cut off at "I'm not"): ... using utorrent, I'm trying to set up an ftp as a proof-of-concept, since I figure ftp is pretty standard (maybe a little too standard: I'll disable it for security once I figure out what's going on with my router), ...	18:53
HelloWorld321	but I don't know what the net:bind_ip is or where to clear it	18:54
sarnold	HelloWorld321: yikes, ftp is a pain in the butt all around :) active vs passive connections is extremely irritating.	18:55
HelloWorld321	I was supposiung that it would be easy, because it was so old and so standard	18:55
HelloWorld321	(afk4lunch!)	18:55
HelloWorld321	bak	19:28
HelloWorld321	I'm able to hit the ftp server from inside the network, so I suppose that the hsot is set up properly	19:28
hrenovo	hi. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE	19:30
hrenovo	I have this rule added in iptables	19:30
hrenovo	is there a way to add it in ufw ?	19:30
hrenovo	if I enable ufw this rule is blocked	19:30
HelloWorld321	My system is listening for ftp on all ip addresses (http://pastebin.com/WjhZtzTX) and I'm having no trouble reaching the ftp server from inside my network, so I believe that my original question about checking/clearing net:bind_ip is not really the issue. Is that correct?	19:46
qman__	HelloWorld321, that is correct	19:52
qman__	FTP is ancient and poorly designed, and does not play well with NAT	19:53
qman__	http://mywiki.wooledge.org/FtpMustDie for more information	19:53
qman__	the short if it is, don't use FTP, SFTP is in all ways superior and you probably already have it	19:53
Pici	Also ,don't confuse FTPS is not SFTP	19:56
Pici	Also ,don't confuse FTPS with SFTP	19:56
* Pici confuses himself sometimes		19:56
Pici	er, not with that, with typing the right thing.	19:56
HelloWorld321	okay, I'll take that into account. But for now, my point isn't actually to set up an FTP server., it's to set up my router. I just want to hit anything inside my network from the world IP address.	19:58
qman__	HelloWorld321, FTP is the worst possible protocol to test that with	19:58
qman__	becuase FTP specifically will not work over a NAT without lots of hacking	19:59
HelloWorld321	I used to run a Ventrilo server, but I had to stop when I got a different router, so now all my gamer friends are bummed.	19:59
HelloWorld321	okay, what's the simplest application to test that with?	19:59
qman__	http or ssh	19:59
HelloWorld321	okay. I have apache running on that same box.	20:00
HelloWorld321	I'll go open those ports and try that.	20:00
=== rook is now known as Guest12763
HelloWorld321	http is port 80, right?	20:01
qman__	yes	20:01
qman__	bear in mind that if you have a residential ISP, they may block it	20:01
qman__	many block 25, 80, and 443	20:01
HelloWorld321	I've thought of that. I asked the support desk. They said they didn't. But they also sounded like they didn't know what "ports" are	20:01
=== Guest12763 is now known as imrook
HelloWorld321	and yes, this is on a residential ISP.	20:02
qman__	I've never seen one that blocks 22 though	20:02
qman__	and you can always try forwarding a high port, like 8080 -> 80	20:03
imrook	I'm trying to build the php5_5.3.10-1ubuntu3.6 source package, but getting "debian/setup-mysql.sh: 44: debian/setup-mysql.sh: USER: parameter not set" during test-results.txt	20:03
HelloWorld321	is 22 sftp?	20:03
qman__	ssh/sftp	20:03
imrook	This was fixed back in 3.3 http://irclogs.ubuntu.com/2012/12/21/%23ubuntu-server.html	20:03
imrook	Is this a known regression?	20:03
HelloWorld321	okay, 80 doesn't work with this configuration.	20:04
RoyK	HelloWorld321: setup ssh and tell us the ip address - unless you have a very bad password, it should be safe to post the address for some of us to test. if you have a bad password, your box will be compromised in hours anyway	20:05
HelloWorld321	I have just tried to sftp localhost, and ssh to the internal ip, so sftp is setup. My outside ip address is 98.148.120.187	20:05
HelloWorld321	o:	20:06
HelloWorld321	but I haven't opened that port yet: 22	20:06
RoyK	hehe	20:06
qman__	yeah, it's being dropped	20:06
HelloWorld321	okay, I think I've opened that port.	20:08
HelloWorld321	But I also think that that's my problem. I'm not setting up the router properly.	20:09
qman__	I got a response	20:09
qman__	it's open	20:09
HelloWorld321	you see me? freaky! yay!	20:09
HelloWorld321	can you guess my password? :P	20:09
qman__	The authenticity of host '98.148.120.187 (98.148.120.187)' can't be established.	20:09
qman__	RSA key fingerprint is 86:6a:1b:00:03:2c:85:bd:6e:2e:dc:31:50:47:6a:2a.	20:09
qman__	so, that part of it works	20:10
HelloWorld321	Hm.	20:10
qman__	you can check if your software is listening correctly by doing `netstat -lanp \| grep $port`	20:11
HelloWorld321	That's not the same figerprint I'm seeing	20:11
HelloWorld321	I can hit ssh & sftp at localhost, but I can't hit them from the external ip I just gave you. Would you mind hitting it one more time, tell me, then I'll disable it, and see if it stopped. Just to make sure that it's me	20:16
hallyn	jamespage: please do let me know if/when tests confirm the /dev/kvm issue is fixed - i'll wait until then to sru the fix. (have written down to look at it again next w if nothing else)	20:18
qman__	HelloWorld321, yes, it's still working	20:20
HelloWorld321	This means that the box will accept ssh from anywhere?: tcp6 0 0 :::22 :::* LISTEN	20:20
qman__	HelloWorld321, most NAT routers won't route traffic back in destined for your external IP	20:20
qman__	you have to specifically configure it	20:20
qman__	so, you can't reliably test the setup from inside your own network	20:21
HelloWorld321	I have stopped forwarding port 22, see if you can hit it now.	20:21
qman__	nope, dropped	20:21
HelloWorld321	Nifty. So I'm onto something here.	20:21
HelloWorld321	and the reason I couldn't do the same with ftp was because it was the hardest example, not the simplest	20:21
qman__	yes	20:21
qman__	FTP requires ports 20 and 21, in addition to a range of high ports	20:21
HelloWorld321	lemme try http now ...	20:21
qman__	and your FTP server must be configured with those high ports, and must also be configured to hand out your internet IP	20:22
qman__	you need a minimum of 3 open ports to handle a single connection	20:22
HelloWorld321	I would suppose that it's generally safe to leave port 22 (ssh) open, as long as I have a strong password policy in place?	20:23
qman__	it's actually best to disable password authentication	20:23
qman__	but if you have strong passwords it should be ok	20:23
qman__	it's also advisable to limit brute forcing through things like fail2ban or a rate limiting firewall	20:23
HelloWorld321	would you mind trying to hit me at http://98.148.120.187	20:23
qman__	squirrelmail	20:24
HelloWorld321	that's right. Thanks!	20:24
HelloWorld321	This was driving me nuts!	20:24
imrook	sshguard is also an easy and effective solution to prevent hammering on 22.	20:24
HelloWorld321	For http, I would suppose I only need TCP open, not UDP?	20:27
HelloWorld321	Thanks qman__, imrook, RoyK. I was totally stuck on that.	20:29
qman__	HelloWorld321, for all of the above, only TCP is needed	20:30
HelloWorld321	I'ma secure my ssh in all the ways you've said: disable password authentication, fail2ban, and sshguard.	20:32
HelloWorld321	fail2ban was already installed and auto-configured. I've poked abuot that documentation, and don't understand a word, from which I'll infer that the default configuration is reasonable?	20:41
HelloWorld321	I've installed sshguard 1.5-4 from the package, and the developer site says that post 1.5 there is zero configuration. Is that correct?	20:55
imrook	If you're just protecting sshd, then yes	20:55
imrook	Aside from the bug I reported that hasn't been closed yet	20:55
imrook	Having the string 'ssh' in your hostname causes the regex to fail and sshguard will not properly detect failed login attempts	20:56
HelloWorld321	bummer. k. that won't be a problem for my hostname	20:56
sarnold	imrook: hah :)	20:58
HelloWorld321	I now beleive I have my port 22 open, sshguard & fail2ban installed, and password authentication turned off for ssh at 98.148.120.187. Care to verify?	21:29
sarnold	HelloWorld321: Permission denied (publickey).	21:30
sarnold	no password prompt. woot.	21:30
HelloWorld321	That's good, right? Yay, I did it. Thanks. That's pretty cool.	21:31
HelloWorld321	Now I can run around opening other ports	21:31
HelloWorld321	I tell ya: it was driving me NUTS!	21:31
HelloWorld321	I totally thought I had a bum router	21:32
sarnold	:)	21:33
dsmythies	Hello, I am not normally on IRC, and am actually somewhat IRC challenged, but there is an issue I was hoping to get help with.	22:31
dsmythies	.	22:31
dsmythies	The computer is an Ubuntu Server 12.04 LTS with no GUI. To install a virtual machine (a ubuntu 12.04 server again) I am following the Ubuntu Serverguide Virtualization chapter, sub-section 1 Libvirt.	22:31
dsmythies	The problem is that I can not figure how to complete a virtual machine installation, without either a GUI or a 2nd computer with a VNC viewer client.	22:31
dsmythies	The serverguide sub-chapter mentions both virt-manager and virt-viewer, but both require a GUI.	22:31
dsmythies	I finally figured out that I could use another computer with both a GUI and a VNC viewer client, if I used this command:	22:31
dsmythies	.	22:31
dsmythies	sudo virt-install -n virt32_01 -r 128 --disk path=/var/lib/libvirt/images/virt32_01.img,bus=virtio,size=12 -c ubuntu-12.04.2-server-i386.iso --accelerate --network network=default,model=virtio --connect=qemu:///system --graphics vnc,listen=0.0.0.0 --noautoconsole -v	22:31
dsmythies	.	22:32
sarnold	dsmythies: (please don't use . to try to add paragraphing to irc :)	22:32
dsmythies	The important part of the command being: "--graphics vnc,listen=0.0.0.0"	22:32
dsmythies	.	22:32
dsmythies	My question: Is there a (Libvirt) way on a non-GUI server without involving other computers?	22:32
dsmythies	.	22:32
dsmythies	References:	22:32
dsmythies	https://help.ubuntu.com/12.10/serverguide/libvirt.html	22:32
dsmythies	https://bugs.launchpad.net/serverguide/+bug/1129649	22:32
uvirtbot	Launchpad bug 1129649 in serverguide "Chapter 20 - Subsection 1 - Virtualization - Libvirt needs updating" [Undecided,In progress]	22:32
dsmythies	http://ubuntuforums.org/showthread.php?t=2116415	22:33
dsmythies	.	22:33
sarnold	dsmythies: have you tried leaving off the --graphics command line option?	22:33
sarnold	dsmythies: I use the 'uvt' wrapper to build, snapshot, and revert VMs, no VNC required: https://wiki.ubuntu.com/SecurityTeam/TestingEnvironment	22:33
sarnold	dsmythies: .. though it is Yet Another Tool to configure.	22:33
dsmythies	If I leave off the --graphics line, then I am unable to connec to anything.	22:34
dsmythies	I do not know of "uvt", but will look into it. Right now I am specifically trying to use virt-install...	22:34
dsmythies	In the end, I hope to edit the serverguide itself with better emphasis on a non-GUI server.	22:35
sarnold	dsmythies: uvt doesn't do anything that you couldn't otherwise do, but it does make it easy to ignore the virt-* details :D	22:35
dsmythies	Before the --graphics stuff, this is the command I was trying:	22:39
dsmythies	sudo virt-install -n virt32_01 -r 128 --disk path=/var/lib/libvirt/images/virt32_01.img,bus=virtio,size=12 -c ubuntu-12.04.2-server-i386.iso --accelerate --network network=default,model=virtio -v	22:39
luminous	hello! what is the ubuntu solution to easily encrypting/decrypting a directory	23:24
luminous	similar to truecrypt, but not tc	23:24
sarnold	luminous: ecryptfs if you just want directories; dm-crypt on an entire block device if you want everything...	23:25
luminous	the fuse encfs?	23:25
luminous	sarnold: ^^	23:26
tyhicks	luminous: ecryptfs and encfs are similar	23:27
tyhicks	luminous: you get to choose :)	23:27
luminous	but not the same	23:27
tyhicks	no, different implementation	23:27
luminous	interesting.. i will need to read more	23:27
tyhicks	ecryptfs is an in-kernel filesystem, encfs is fuse based	23:27
luminous	great!	23:28
* luminous does not like fuse		23:28
tyhicks	ecryptfs will get you a little better performance, encfs probably has more knobs and features (but I haven't looked at it in a while)	23:28
luminous	ll i need is to be able to do is copy/store a git repo and some files	23:29
luminous	to confirm, encryptfs requires one to decrypt, edit/update/read, then encrypt, w/ encryption/decryption initiated manually - correct?	23:30
tyhicks	luminous: no, it does it all transparently	23:30
sarnold	luminous: ecryptfs is intended to be transparent -- once mouted, the decryption and encryption happen for you	23:31
tyhicks	luminous: it is a stacked filesystem that goes on top of your existing local filesystem	23:31
luminous	or, said another way... if in use, it is readable to all / like a normal directory	23:31
luminous	it has to be unmounted to be 'protected'	23:31
patdk-lap	once unlocked it's usable by the whole system, yes	23:31
luminous	k, good to know, ty	23:31
tyhicks	luminous: yes... it is close enough to be considered a posix compliant filesystem	23:31
sarnold	luminous: if you're instead wanting git to store remote repositories encrypted, there's a tool for that specifically under development: https://github.com/blake2-ppc/git-remote-gcrypt	23:33
luminous	that's cool	23:33
luminous	i'll check it out, though i do want to feel reasonably confident in the setup	23:34
sarnold	no doubt ecryptfs has seen more development time and more peer review :)	23:34
luminous	yea	23:35
luminous	thanks for your input!	23:38
luminous	it is apprecited	23:38
sarnold	have fun :)	23:38
luminous	oh, and if interested in this stuff.. have a peek at crypton.io	23:39
sarnold	nice :)	23:40
luminous	yea :) still early, but very promising	23:40
luminous	and backed by spideroak.com	23:40
=== wedgwood is now known as wedgwood_away

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!