qman__ | I think I'm running into bug 633392 | 00:00 |
---|---|---|
uvirtbot | Launchpad bug 633392 in linux "Bridged Guests losing network connectivity" [High,Expired] https://launchpad.net/bugs/633392 | 00:00 |
qman__ | unfortunately it went unresolved | 00:00 |
qman__ | I'll try unbonding and see if it solves the problem | 00:00 |
qman__ | yep, it did | 00:05 |
qman__ | so I guess bonding + bridging + kvm is broken | 00:05 |
patdk-lap | can't say I ever joined bonding + bridging | 00:06 |
qman__ | bonding + bridging works great on the host OS | 00:06 |
qman__ | it just breaks stuff with the KVM guests | 00:07 |
qman__ | not sure where the fault is | 00:07 |
patdk-lap | bonding and bridging on the host and normal nic on kvm guest? | 00:07 |
qman__ | yes | 00:07 |
qman__ | both normal nic and a guest with a bridge | 00:07 |
qman__ | same thing happens to both guests | 00:08 |
patdk-lap | and firewall rules on the host? | 00:08 |
qman__ | accept all | 00:08 |
qman__ | it just has the normal KVM stuff | 00:09 |
qman__ | or libvirt | 00:09 |
qman__ | or whatever puts it in there | 00:09 |
patdk-lap | just thinking :) I normally put a firewall on the host | 00:09 |
qman__ | yeah, this is all externally secured | 00:09 |
RoyK | bonding on the host, not the guest? | 00:10 |
qman__ | yes | 00:10 |
RoyK | what sort of bonding? | 00:10 |
qman__ | balance-rr | 00:11 |
qman__ | I don't have smart hardware | 00:11 |
qman__ | unmanaged switch, two different types of NIC | 00:11 |
RoyK | bonding to a single switch? | 00:11 |
qman__ | yes | 00:11 |
RoyK | then why not LACP? | 00:12 |
RoyK | should work well | 00:12 |
RoyK | perhaps not to a dumb switch, though | 00:12 |
qman__ | yeah, I don't think I can | 00:13 |
qman__ | I just wanted to try and squeeze some more bandwidth out of it | 00:13 |
qman__ | it's not critical, just annoying that it's broken | 00:13 |
RoyK | get a good switch | 00:13 |
RoyK | well, file a bug report | 00:13 |
RoyK | if enough users/developers think it's a problem, it'll be solved | 00:14 |
MraAlbertina | hi. could you please help me sonve this issue; "perl: warning: Setting locale failed." Pastebin: http://pastebin.com/p3N17prX | 00:26 |
MraAlbertina | sonve/solve.. | 00:27 |
sarnold | MraAlbertina: 'locale -a' will show you the installed locales on your system | 00:28 |
sarnold | MraAlbertina: I guess one of your locale variables there is not one of the legal values reported by locale -a | 00:28 |
MraAlbertina | wow... i need to discover where that is | 00:29 |
MraAlbertina | sarnold: i have a C and C.UTF-8 after 'locale -a' everything else seems ok (all en_**.utf8) | 00:30 |
MraAlbertina | i have no clue where that C is coming from. might that be the problem? | 00:31 |
sarnold | MraAlbertina: "C" is the safe fallback :) | 00:32 |
MraAlbertina | oh | 00:32 |
MraAlbertina | oh, another entry i have is POSIX, besides that C and all en* | 00:32 |
MraAlbertina | is it possible to reconfigure locale, in a quick fix, sarnold ? | 00:35 |
qman__ | pretty sure this one is the problem: LC_ALL = (unset), | 00:35 |
MraAlbertina | because everything seems ok, with locale -a | 00:36 |
qman__ | there's a dpkg-reconfigure you can do to set the locale | 00:36 |
qman__ | I can't remember which package though | 00:36 |
MraAlbertina | i saw that LC_ALL = (unset) somewhere | 00:37 |
qman__ | related: http://ubuntuforums.org/showthread.php?t=1720356 | 00:37 |
qman__ | shows three methods to fix, in the order you should try them | 00:37 |
MraAlbertina | oh, ya, on the first "warning" i got, in the pastebin | 00:37 |
MraAlbertina | LC_ALL = (unset), | 00:38 |
MraAlbertina | okay, thanks so much qman__ | 00:38 |
MraAlbertina | thanks sarnold | 00:39 |
sarnold | MraAlbertina: what fixed it? :) | 00:39 |
MraAlbertina | going for a reboot after editing /etc/environment and i'll tell you :) | 00:40 |
MraAlbertina | sarnold: adding: LC_ALL="en_GB.utf8" -to- /etc/environment and rebooting solved it | 00:44 |
sarnold | MraAlbertina: excellent :) thanks | 00:44 |
MraAlbertina | thanks for discovering that qman__ | 00:44 |
patdk-lap | isn't bond-mode balance-tlb going be better than balance-rr? | 01:10 |
patdk-lap | balance-rr when using a single switch, can cause out of order packets | 01:10 |
patdk-lap | that might be your issue | 01:10 |
patdk-lap | the other one, balance-a?? can cause issues with devices that depend on the mac being static (cable modems, some switchs management interface, basically anything using mac for a security cookie) | 01:12 |
sarnold | qman__: ^^^ | 01:12 |
qman__ | while that's possible I don't think it's the problem at hand, when watching a tcpdump, the arp requests go through the bridge and get back to my host, but simply don't get to the guests, most of the time | 01:12 |
qman__ | and the host has no issues at all communicating with the rest of the network over the bridge on the bond | 01:13 |
patdk-lap | ya, I imagine the balance-rr issue will be more if you load the interfaces up good | 01:14 |
patdk-lap | I believe I have seen that arp issue before | 01:14 |
patdk-lap | but it's been awhile | 01:14 |
qman__ | likewise, real hosts on the LAN can reach the guests just fine, it only applies to the guests trying to initiate | 01:15 |
patdk-lap | I've defently seen that before | 01:16 |
patdk-lap | but totally can't remember what it was | 01:16 |
patdk-lap | I don't use kvm, but used to use xen with bridges like that | 01:16 |
autoditac | hey everyone. is this the right channel to ask questions regarding nfs on ubuntu? | 01:40 |
autoditac | i' d be glad if someone could give me a hint regarding posix acls and nfs4 on ubuntu. | 01:41 |
autoditac | question is: will posix acls be applied if i access a ext3 filesystem with heavy usage of acls using nfs 4 without using kerberos? i have the same userbase both on the client and the server (LDAP) | 01:44 |
xnox | yes, but they will be able to bypass it, if they have root on the client. | 01:44 |
autoditac | hi, xnox :) | 01:45 |
autoditac | xnox, users don't have root access on the client. furthermore, no_root_squash is not set | 01:46 |
autoditac | i was just wondering if the nfs4 acls and posix_acls map and if the acls get enforced on the server or on the client side? | 01:48 |
patdk-lap | enforced on the client | 01:50 |
buengenio | guys, can somebody please recommend a shared calendar server/service? | 02:02 |
patdk-lap | gmail? | 02:02 |
resno | buengenio: google calendar? | 02:02 |
* resno highfives patdk-lap | 02:02 | |
patdk-lap | just dunno what a shared calendar server/service is | 02:03 |
patdk-lap | like a community calendar? a wordpress plugin? | 02:03 |
buengenio | no, like a caldav | 02:03 |
patdk-lap | or like exchange/outlook? a webmail thing? | 02:03 |
patdk-lap | isn't caldav a protocol? | 02:03 |
buengenio | exchange/outlook type of thing but that can work with Outlook/Thunderbird/Mail, etc.... | 02:03 |
patdk-lap | heh? | 02:03 |
sarnold | good luck with outlook :/ | 02:04 |
patdk-lap | outlook does it's own thing | 02:04 |
holstein | you can use google cal with those | 02:04 |
buengenio | I'd love to say that to our boss | 02:04 |
patdk-lap | and last I knew thunderbird and that doesn't support calanders | 02:04 |
resno | im still suggest google calendar | 02:04 |
patdk-lap | buengenio, install exchange | 02:04 |
buengenio | no thank | 02:04 |
buengenio | no thanks | 02:04 |
resno | can you even install exchange in linux? | 02:04 |
sarnold | buengenio: iirc there's a horrible plugin thingy for outlook to make google calendars work there. I'm sure they did their best, but I don'tthink outlook was meant to have plugins. so. | 02:04 |
buengenio | but boss is sticking with Outlook till dies irae | 02:04 |
patdk-lap | I run exchange 2010 currently, not a big deal | 02:05 |
patdk-lap | buengenio, next best thing, outlook365 :) | 02:05 |
buengenio | isn't there something OSS? | 02:05 |
buengenio | standards based | 02:05 |
buengenio | that works everywhere? | 02:05 |
patdk-lap | there are standards? | 02:05 |
sarnold | buengenio: it's the "works everywhere" that fails, outlook doesn't want to play that game. | 02:06 |
patdk-lap | outlook has no standards, atleast till outlook 2013, then it can use activesync | 02:06 |
sarnold | buengenio: and iirc nothing else really speaks exchange | 02:06 |
sarnold | (client-side) | 02:06 |
holstein | owncloud | 02:06 |
patdk-lap | I guess you could install horde webmail, setup activesync, then use outlook2013 | 02:06 |
patdk-lap | I have not *tested* that though | 02:06 |
resno | theres zimbra | 02:07 |
resno | zimbra the paid versoin speaks it | 02:07 |
patdk-lap | there is always openchange | 02:07 |
patdk-lap | no idea how well that works | 02:07 |
sarnold | buengenio: I've heard good things about http://en.wikipedia.org/wiki/Open-Xchange but never used it myself | 02:07 |
shauno | I'd be wary of google calendar, their caldav access is on the chopping board | 02:11 |
buengenio | Their biggest problem is that adding event invitations sent to a non GMail address doesn't work | 02:12 |
buengenio | At least in Thunderbird | 02:12 |
patdk-lap | heh? | 02:12 |
buengenio | which is what almost everyone uses at the office | 02:12 |
resno | if you had users comfortable with ftp, how would you allow them to upload their files? | 02:17 |
resno | whats a resonable alternative or a secure ftp server? | 02:18 |
sarnold | resno: I'd get them comfortable with sftp right quick. | 02:19 |
patdk-lap | there is no difference between ftp and sftp these days to a user | 02:19 |
sarnold | except no more baffling image vs text or pasv vs active :) | 02:20 |
patdk-lap | hmm, most programs hide that too :) | 02:20 |
patdk-lap | just when it won't work, do you have to deal with it :) | 02:20 |
sarnold | :D | 02:21 |
patdk-lap | like my friends router that messed up active ftp :) | 02:21 |
resno | is sftp that much improved over ftp? | 02:21 |
patdk-lap | resno, yes and no | 02:22 |
resno | im sure the "s" brings secure, but is it night and day | 02:22 |
patdk-lap | personally I hate sftp | 02:22 |
resno | i hate s/ftp | 02:22 |
patdk-lap | but it uses a single connection, unlike ftp, fixing nat issues | 02:22 |
patdk-lap | and it uses ssh | 02:22 |
patdk-lap | so it just works better :) | 02:22 |
resno | oh? | 02:22 |
resno | so, i wouldnt need an ftp server? | 02:23 |
patdk-lap | depends | 02:23 |
patdk-lap | most ftp servers these days support sftp too | 02:23 |
resno | you give me hope and then snatch it away | 02:23 |
patdk-lap | but give you more control than ssh will give you for sftp | 02:23 |
patdk-lap | all depends on what goal you have | 02:23 |
patdk-lap | use ssh for both | 02:24 |
patdk-lap | or use like proftpd for sftp | 02:24 |
patdk-lap | I think pure-ftp does it too now, but haven't checked | 02:24 |
resno | theres 3 main ftp servers right? | 02:24 |
patdk-lap | what is *main*? | 02:24 |
resno | uhm | 02:26 |
resno | ill look into proftpd | 02:26 |
resno | ive managed to avoid ftp being installed, so i want to make sure its all good and secure | 02:26 |
patdk-lap | there is one issue with that :) | 02:27 |
patdk-lap | you can't have both proftpd and ssh both listening on port 22 (I believe, maybe they did a passthough thing?) | 02:27 |
patdk-lap | so you would have to move normal ssh to another port | 02:27 |
resno | you cant have proftpd listen on another port as well? | 02:28 |
resno | seems like a reciepe for disater | 02:28 |
patdk-lap | if you have it listen on another port, it will confuse users | 02:28 |
patdk-lap | when they use the default port :) | 02:28 |
sarnold | man, i'd so much rather just rely on sshd to do sftp rather than get one of the ftpd servers involved. | 02:28 |
patdk-lap | sarnold, like I said it depends :) | 02:29 |
patdk-lap | the ftp server has more control, than ssh gives you per user | 02:29 |
patdk-lap | and personally, I love file upload notifications | 02:29 |
patdk-lap | so I can realtime scan and check files people upload | 02:29 |
resno | patdk-lap: do you do that even for trusted users? ie) coworkers | 02:30 |
sarnold | something that'd be annoying to put together with imcron and sshd over a few thousand users :) | 02:30 |
resno | i dont know your enviroment | 02:30 |
patdk-lap | trusted users? those exist? | 02:30 |
patdk-lap | anyones account could be compromised | 02:30 |
resno | true | 02:30 |
resno | hmm, i didnt think of that actually | 02:30 |
=== VD is now known as Guest32085 | ||
=== freeflyi1g is now known as freeflying | ||
=== smb` is now known as smb | ||
jamespage | yolanda_, https://code.launchpad.net/~james-page/python-quantumclient/grizzly-2.2.0/+merge/153512 | 09:36 |
jamespage | when you get a chance please :-) | 09:36 |
yolanda_ | jamespage, meeting | 09:36 |
jamespage | yolanda_, (I know :-)) | 09:37 |
nailora | sarnold: i found this https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1008400 | 09:54 |
uvirtbot | Launchpad bug 1008400 in linux "Ubuntu server uses CFQ scheduler instead of deadline" [Medium,In progress] | 09:54 |
yolanda_ | jamespage, i'm looking the code at the diff, i see that in changelog * debian/control: Set version minimum for python-cliff (>= 1.3.1). | 10:00 |
yolanda_ | but i don't see that reflected in the diff, is that from a previous commit? | 10:00 |
jamespage | yolanda_, yeah - it needed a tweak in the changelog to drop the ~ | 10:21 |
jamespage | as changelog and change did not actually match | 10:21 |
yolanda_ | approved it | 10:22 |
jamespage | bug 1155556 | 11:39 |
uvirtbot | Launchpad bug 1155556 in maas "HP ProLiant DL380 G7 tftps kernel, but initrd tracebacks in tftp server. DL380 G6 succeeds." [Undecided,New] https://launchpad.net/bugs/1155556 | 11:39 |
jamespage | adam_g, reviewed and uploaded to folsom CA | 11:45 |
jamespage | adam_g, I swept that and the django fix through to -updates | 11:45 |
smoser | roaksoax, jamespage woot, isc-dhcp in raring with our no maas no-uuid patch. | 12:15 |
smoser | er.. what ever that patch was. thansk to stgraber | 12:15 |
jamespage | smoser, great! | 12:15 |
roaksoax | smoser: nice!! | 12:43 |
smoser | roso i guess actualy, in raring you should modify maas to use that. | 12:44 |
smoser | in its default config. | 12:44 |
zetheroo | got a couple ubuntu servers both running 12.04.2 here ... one looks like this when logged in "[root@mars ~]#" while the other looks like this "root@saturn:~#" ... why does mars have those brackets ? | 13:02 |
patdk-wk | probably cause of the shell your using | 13:03 |
zetheroo | I am accessing them both through the same terminal via ssh ... | 13:04 |
zetheroo | all servers are using bash shell | 13:07 |
zetheroo | weird ... I closed the saturn session and reopened it and now saturn has those brackets ... [root@saturn ~]# | 13:08 |
jamespage | adam_g, http://people.canonical.com/~jamespage/ca-updates/ | 13:26 |
jamespage | quantumclient and new version of python-django-compressor for horizon | 13:26 |
crankharder | what is it about this builder command that I can't ssh or telnet into the host once it's built & started? https://gist.github.com/crankharder/c0063a365996f90b170c | 13:33 |
ttx | jamespage: cinder milestone-proposed cut | 13:39 |
jamespage | ttx, ta | 13:39 |
* jamespage switches configs | 13:39 | |
soren | Daviey: There's a question for you(r team) in my post to the tb mailing list earlier today. Would you mind (having one of your minions) taking a look? | 13:51 |
=== wedgwood_away is now known as wedgwood | ||
Daviey | soren: I am the minion to the cretins. :) | 13:57 |
soren | Daviey: That's the spirit. | 13:59 |
Daviey | soren: I'll reply to that.. just not right now. Thanks for raising it | 13:59 |
soren | Daviey: By extension, is... err.. Rick Spencer your minion? | 13:59 |
Daviey | soren: The higher you go, the least important you become.. so yes :) | 14:00 |
Daviey | I say jump. and he says, | 14:01 |
Daviey | "your're fired" | 14:01 |
pmatulis | hmph, on quantal (at least) i see that 'deluser --remove-home' does not remove the home directory, just the files | 14:05 |
Croves | Hello guys! I'm trying to install Ubuntu Server 12.04 i386 on a XenServer Virtual Machine, but when I try to install the sistem, I get this error: "Your installation CD-ROM couldn't be mounted. This probably means that the CD-ROM was not in the drive. " | 14:12 |
Croves | Any idea? | 14:12 |
saki` | hi ho | 14:18 |
saki` | i was wondering | 14:18 |
saki` | if i could run an ubuntu server OS off a live usb? | 14:18 |
melmoth | saki`, http://en.wikipedia.org/wiki/Ubuntu_Live_USB_creator | 14:21 |
crankharder | what is it about this builder command that I can't ssh or telnet into the host once it's built & started? https://gist.github.com/crankharder/c0063a365996f90b170c | 14:23 |
Croves | Anyone here is familiar with XenServer? | 14:23 |
saki` | thanks melmoth | 14:29 |
saki` | maybe i should mention | 14:29 |
saki` | i'm going to be trying to run this off it: http://www.sourcefabric.org/en/airtime/download/ | 14:29 |
melmoth | saki`, the usb creator thingy let you have a "stat" in your live usb system. wich means, any change you make, will be there after a reboot. | 14:31 |
melmoth | so you can apt-get install or compile stuff you need, and they will be available on the usb stick. | 14:31 |
melmoth | all you need is... space on the key. | 14:31 |
saki` | okay cool, so a persistent install or whatever yeah? | 14:32 |
saki` | thanks melmoth. | 14:32 |
melmoth | indeed. | 14:32 |
melmoth | when you create the key, you have an option about "casper", that s the persistant stuff | 14:32 |
melmoth | basically, it ask you how much space you want to allocate to the persitsant storage (if i understand correctly) | 14:33 |
saki` | ah ok | 14:33 |
melmoth | i dont kow the details, i just know it "just worked" last time i needed it | 14:33 |
saki` | hmm this seems to require me to compile it somewhere. if this works let me try and use a windows based installer instead. | 14:34 |
saki` | as in, if it works anyway | 14:34 |
saki` | you wouldn't happen to know of one would you melmoth? the only one i know of is YUMI, and that's for multiboot stuff | 14:38 |
melmoth | nope, sorry. | 14:39 |
saki` | ah no worries | 14:40 |
saki` | found one | 14:40 |
zetheroo | in trying to setup glusterfs here I am running into this message and cannot seem to find a fix that works for me: /mnt/gluster or a prefix of it is already part of a volume | 14:45 |
=== wedgwood is now known as wedgwood_away | ||
=== wedgwood_away is now known as wedgwood | ||
=== HappyLoaf is now known as Gemma-and-Sp00n | ||
=== Gemma-and-Sp00n is now known as HappyLoaf | ||
=== HappyLoaf is now known as Mr_Spock | ||
=== Mr_Spock is now known as HappyLoadf | ||
=== HappyLoadf is now known as HappyLoaf | ||
hrenovo | so to add a rule with ufw I do something like this "ufw allow 8080" , now how can I delete this rule from showint up in "ufw status" ? | 15:33 |
jpds | hrenovo: That's... not suppose to be done? | 15:33 |
jpds | Why would you add a rule, then hide its existance? | 15:34 |
hrenovo | if I no longer need it | 15:34 |
hrenovo | not hide, just get rid of it | 15:34 |
hrenovo | i gigured it out | 15:34 |
hrenovo | its ufw delete allow 8080 | 15:34 |
hrenovo | like that | 15:34 |
jpds | hrenovo: Ah, right. :) | 15:38 |
fabiofranco | something weird is happening with my tomcat7 and mysql server. when I add firewall rules with iptables to open the port 8080 and 3306 and add the last rule dropping everything else the communication between tomcat7 and mysql just stops... any thoughts? | 16:45 |
patdk-wk | fabiofranco, thoughts without seeing the rules? | 16:57 |
fabiofranco | sure, I add: iptables -A INPUT -j ACCEPT -p tcp --dport 8080, iptables -A INPUT -j ACCEPT -p tcp --dport 3306 and finally iptables -A INPUT -j DROP -p tcp | 16:58 |
fabiofranco | just those three... and after I add the last one the communication stops immediately | 16:59 |
fabiofranco | I add the one open ssh too of course | 16:59 |
qman__ | you need to add rules to allow all traffic on the loopback interface | 16:59 |
fabiofranco | qman__ example pls? | 17:00 |
adam_g | jamespage, those 2 new CA updates LGTM | 17:00 |
qman__ | iptables -A INPUT -i lo -j ACCEPT | 17:01 |
qman__ | iptables -A OUTPUT -o lo -j ACCEPT | 17:01 |
fabiofranco | qman__ i see.. gonna give a try | 17:02 |
qman__ | also, it's conventional to put the -j at the end of each line | 17:03 |
qman__ | not sure if it affects the rules | 17:03 |
qman__ | but if it does, your last rule could mean iptables -A INPUT -j DROP, which would certainly not be great | 17:04 |
qman__ | also, do you have rules for established traffic? | 17:04 |
qman__ | iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT | 17:04 |
fabiofranco | no, I dont | 17:05 |
qman__ | you definitely need that too | 17:05 |
fabiofranco | gonna apply it right now | 17:05 |
jamespage | adam_g, great - ta | 17:07 |
fabiofranco | qman__ do you think the last rule should be iptables -A INPUT -j DROP? | 17:10 |
qman__ | it can but that will break all icmp and udp traffic | 17:12 |
qman__ | so if you want any of either, make sure you allow it first | 17:12 |
fabiofranco | qman__ I see... gonna try it | 17:13 |
fabiofranco | qman__ it worked... thanks a lot | 17:17 |
jamespage | adam_g, that horizon oddness with firefox is fixed with the new version of django-compressor | 17:24 |
adam_g | jamespage, great | 17:25 |
adam_g | jamespage, which projects are we waiting on for RC1? | 17:25 |
jamespage | adam_g, most of them | 17:25 |
adam_g | ah | 17:26 |
jamespage | quantum and cinder have released rc1's | 17:26 |
jamespage | I started on quantum | 17:26 |
jamespage | but noticed the watch file does not work that well and got distracted.... | 17:27 |
jamespage | adam_g, MP for quantum rc - https://code.launchpad.net/~james-page/quantum/grizzly-rc1/+merge/153606 | 17:34 |
adam_g | jamespage, nice. | 17:35 |
jamespage | adam_g, I think all the required deps are in the grizzly-staging PPA now | 17:35 |
jamespage | there are a few catchups outstanding but nothing critical. | 17:35 |
adam_g | jamespage, when i got online, saw a precise+grizzly test had just failed on volume creation. hope its something transient. :) | 17:36 |
jamespage | adam_g, hmm - worked a few minutes ago - I'll try again | 17:36 |
jamespage | adam_g, btw I'm working on a tool to make backporting easier | 17:37 |
jamespage | ca-backport-package 'os_series' 'package' 'Comment for Changelog' | 17:38 |
adam_g | jamespage, hah | 17:38 |
jamespage | hopefully it will mean the only thing you can get wrong is the changelog comment :-) | 17:38 |
adam_g | jamespage, i just did this yesterday http://paste.ubuntu.com/5617160/ | 17:38 |
jamespage | adam_g, lol | 17:39 |
jamespage | great minds and all that | 17:39 |
jamespage | we should consolidate stuff | 17:39 |
jamespage | mines a bit more hacky write now | 17:39 |
adam_g | jamespage, yeah, what are your thoughts on making this automated, in response to the version_drift failing? | 17:39 |
jamespage | adam_g, I'd be up for that - I implemented the changes we discussed in the CA archive admin tooling to help support that today | 17:40 |
jamespage | ca admins now get the change details so can choose to ignore things. | 17:40 |
adam_g | jamespage, where do you envision the bot pushing the auto-built backports? straight to the staging PPA or somewhere for a human to do that? | 17:41 |
jamespage | adam_g, cinder looks OK to me - http://paste.ubuntu.com/5617170/ | 17:41 |
jamespage | adam_g, I think step one would be to put it somewhere for a human to review, sign and upload | 17:41 |
jamespage | adam_g, but so long as that proves reliable then full automation ++ | 17:42 |
adam_g | jamespage, thats what i was thinking. a staging-staging-PPA so we can ensure builds, as well | 17:42 |
adam_g | need to step away. back in 10 | 17:43 |
jamespage | adam_g, yeah - one that inherits of the staging PPA would be neat | 17:43 |
jamespage | hmm - that give me a thought | 17:44 |
jamespage | we could just write a tool that pulls stuff from there, signs the packages and uploads them to the true staging PPA | 17:44 |
jamespage | actually thats almost an extension of the tool I already wrote for syncs staging->proposed->updates | 17:45 |
jamespage | adam_g, other thing I have been doing is switching the build configs from master -> milestone-proposed as the branches are cut | 17:47 |
jamespage | done for cinder and quantum - ttx has been good at pinging me when that has happened | 17:48 |
jamespage | adam_g, if you agree with the approach I took in the mysql charm re openstack-charm-helpers I'll add that to tha ha-helpers branch, re-sync swift-proxy and start working on keystone on monday | 17:50 |
jamespage | I guess the unison helper could live in charm-helpers as well. | 17:51 |
jamespage | And then we can write some unit tests. | 17:51 |
jamespage | w00t | 17:51 |
adam_g | jamespage, +1 to all that. do the branches that have a milestone-proposed also have havana version bump in master? | 18:04 |
jamespage | adam_g, yes | 18:04 |
jamespage | but due to the way we override the OSLO version number in the lab we don't get busted by that | 18:04 |
jamespage | i.e. the release created is always 2013.1 | 18:04 |
jamespage | adam_g, OK - I have to go now | 18:05 |
jamespage | adam_g, weekend and all that - I will check back in a bit later +3 hr | 18:05 |
jamespage | ttfn | 18:05 |
adam_g | jamespage, k, looking at the mysql stuff now. after we merge that i'll sync the helpers branch with those changes + anything else still pending | 18:05 |
jamespage | adam_g, ahead of you - lp:~james-page/openstack-charm-helpers/ha-python-updates | 18:06 |
jamespage | feel free to merge - I added headers over the mysql versions to tell people its part of openstack-charm-helpers | 18:06 |
adam_g | doh! :) | 18:06 |
HelloWorld321 | I'm looking at a resolved help-forum post that seems similar to my problem (http://boards.portforward.com/viewtopic.php?f=3&t=9910&sid=201967eaaef5c2335ed22ea5a811c5d3&start=10) and I don't know what the poster means in his resolution: "I noticed that the net:bind_ip in utorrent was set to a different internal IP address than the static one assigned my computer, so I just cleared this, so the field was blank.". I'm not | 18:35 |
HelloWorld321 | What is net:bind_ip? | 18:35 |
sarnold | HelloWorld321: you were cut off at "I'm not" | 18:37 |
sw | HelloWorld321: net:bind_ip is the IP address that it binds too. from their website: net.bind_ip: If your computer setup requires that you use a specific LAN adapter for incoming connections, you may specify that adapter's IP address here. | 18:37 |
sarnold | HelloWorld321: when a program listens on a socket, it binds a socket to a port on an IP | 18:37 |
sarnold | HelloWorld321: the usual interface is, if no IP address is specified, bind that port on _all_ IPs the machine uses. If an IP is specified, then bind only on that IP, so other IPs on the machine don't expose the service -- or can run a different service. | 18:39 |
HelloWorld321 | thanks. so I can find that in netstat? | 18:53 |
HelloWorld321 | (cut off at "I'm not"): ... using utorrent, I'm trying to set up an ftp as a proof-of-concept, since I figure ftp is pretty standard (maybe a little too standard: I'll disable it for security once I figure out what's going on with my router), ... | 18:53 |
HelloWorld321 | but I don't know what the net:bind_ip is or where to clear it | 18:54 |
sarnold | HelloWorld321: yikes, ftp is a pain in the butt all around :) active vs passive connections is extremely irritating. | 18:55 |
HelloWorld321 | I was supposiung that it would be easy, because it was so old and so standard | 18:55 |
HelloWorld321 | (afk4lunch!) | 18:55 |
HelloWorld321 | bak | 19:28 |
HelloWorld321 | I'm able to hit the ftp server from inside the network, so I suppose that the hsot is set up properly | 19:28 |
hrenovo | hi. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | 19:30 |
hrenovo | I have this rule added in iptables | 19:30 |
hrenovo | is there a way to add it in ufw ? | 19:30 |
hrenovo | if I enable ufw this rule is blocked | 19:30 |
HelloWorld321 | My system is listening for ftp on all ip addresses (http://pastebin.com/WjhZtzTX) and I'm having no trouble reaching the ftp server from inside my network, so I believe that my original question about checking/clearing net:bind_ip is not really the issue. Is that correct? | 19:46 |
qman__ | HelloWorld321, that is correct | 19:52 |
qman__ | FTP is ancient and poorly designed, and does not play well with NAT | 19:53 |
qman__ | http://mywiki.wooledge.org/FtpMustDie for more information | 19:53 |
qman__ | the short if it is, don't use FTP, SFTP is in all ways superior and you probably already have it | 19:53 |
Pici | Also ,don't confuse FTPS is not SFTP | 19:56 |
Pici | Also ,don't confuse FTPS with SFTP | 19:56 |
* Pici confuses himself sometimes | 19:56 | |
Pici | er, not with that, with typing the right thing. | 19:56 |
HelloWorld321 | okay, I'll take that into account. But for now, my point isn't actually to set up an FTP server., it's to set up my router. I just want to hit anything inside my network from the world IP address. | 19:58 |
qman__ | HelloWorld321, FTP is the worst possible protocol to test that with | 19:58 |
qman__ | becuase FTP specifically will not work over a NAT without lots of hacking | 19:59 |
HelloWorld321 | I used to run a Ventrilo server, but I had to stop when I got a different router, so now all my gamer friends are bummed. | 19:59 |
HelloWorld321 | okay, what's the simplest application to test that with? | 19:59 |
qman__ | http or ssh | 19:59 |
HelloWorld321 | okay. I have apache running on that same box. | 20:00 |
HelloWorld321 | I'll go open those ports and try that. | 20:00 |
=== rook is now known as Guest12763 | ||
HelloWorld321 | http is port 80, right? | 20:01 |
qman__ | yes | 20:01 |
qman__ | bear in mind that if you have a residential ISP, they may block it | 20:01 |
qman__ | many block 25, 80, and 443 | 20:01 |
HelloWorld321 | I've thought of that. I asked the support desk. They said they didn't. But they also sounded like they didn't know what "ports" are | 20:01 |
=== Guest12763 is now known as imrook | ||
HelloWorld321 | and yes, this is on a residential ISP. | 20:02 |
qman__ | I've never seen one that blocks 22 though | 20:02 |
qman__ | and you can always try forwarding a high port, like 8080 -> 80 | 20:03 |
imrook | I'm trying to build the php5_5.3.10-1ubuntu3.6 source package, but getting "debian/setup-mysql.sh: 44: debian/setup-mysql.sh: USER: parameter not set" during test-results.txt | 20:03 |
HelloWorld321 | is 22 sftp? | 20:03 |
qman__ | ssh/sftp | 20:03 |
imrook | This was fixed back in 3.3 http://irclogs.ubuntu.com/2012/12/21/%23ubuntu-server.html | 20:03 |
imrook | Is this a known regression? | 20:03 |
HelloWorld321 | okay, 80 doesn't work with this configuration. | 20:04 |
RoyK | HelloWorld321: setup ssh and tell us the ip address - unless you have a very bad password, it should be safe to post the address for some of us to test. if you have a bad password, your box will be compromised in hours anyway | 20:05 |
HelloWorld321 | I have just tried to sftp localhost, and ssh to the internal ip, so sftp is setup. My outside ip address is 98.148.120.187 | 20:05 |
HelloWorld321 | o: | 20:06 |
HelloWorld321 | but I haven't opened that port yet: 22 | 20:06 |
RoyK | hehe | 20:06 |
qman__ | yeah, it's being dropped | 20:06 |
HelloWorld321 | okay, I think I've opened that port. | 20:08 |
HelloWorld321 | But I also think that that's my problem. I'm not setting up the router properly. | 20:09 |
qman__ | I got a response | 20:09 |
qman__ | it's open | 20:09 |
HelloWorld321 | you see me? freaky! yay! | 20:09 |
HelloWorld321 | can you guess my password? :P | 20:09 |
qman__ | The authenticity of host '98.148.120.187 (98.148.120.187)' can't be established. | 20:09 |
qman__ | RSA key fingerprint is 86:6a:1b:00:03:2c:85:bd:6e:2e:dc:31:50:47:6a:2a. | 20:09 |
qman__ | so, that part of it works | 20:10 |
HelloWorld321 | Hm. | 20:10 |
qman__ | you can check if your software is listening correctly by doing `netstat -lanp | grep $port` | 20:11 |
HelloWorld321 | That's not the same figerprint I'm seeing | 20:11 |
HelloWorld321 | I can hit ssh & sftp at localhost, but I can't hit them from the external ip I just gave you. Would you mind hitting it one more time, tell me, then I'll disable it, and see if it stopped. Just to make sure that it's me | 20:16 |
hallyn | jamespage: please do let me know if/when tests confirm the /dev/kvm issue is fixed - i'll wait until then to sru the fix. (have written down to look at it again next w if nothing else) | 20:18 |
qman__ | HelloWorld321, yes, it's still working | 20:20 |
HelloWorld321 | This means that the box will accept ssh from anywhere?: tcp6 0 0 :::22 :::* LISTEN | 20:20 |
qman__ | HelloWorld321, most NAT routers won't route traffic back in destined for your external IP | 20:20 |
qman__ | you have to specifically configure it | 20:20 |
qman__ | so, you can't reliably test the setup from inside your own network | 20:21 |
HelloWorld321 | I have stopped forwarding port 22, see if you can hit it now. | 20:21 |
qman__ | nope, dropped | 20:21 |
HelloWorld321 | Nifty. So I'm onto something here. | 20:21 |
HelloWorld321 | and the reason I couldn't do the same with ftp was because it was the hardest example, not the simplest | 20:21 |
qman__ | yes | 20:21 |
qman__ | FTP requires ports 20 and 21, in addition to a range of high ports | 20:21 |
HelloWorld321 | lemme try http now ... | 20:21 |
qman__ | and your FTP server must be configured with those high ports, and must also be configured to hand out your internet IP | 20:22 |
qman__ | you need a minimum of 3 open ports to handle a single connection | 20:22 |
HelloWorld321 | I would suppose that it's generally safe to leave port 22 (ssh) open, as long as I have a strong password policy in place? | 20:23 |
qman__ | it's actually best to disable password authentication | 20:23 |
qman__ | but if you have strong passwords it should be ok | 20:23 |
qman__ | it's also advisable to limit brute forcing through things like fail2ban or a rate limiting firewall | 20:23 |
HelloWorld321 | would you mind trying to hit me at http://98.148.120.187 | 20:23 |
qman__ | squirrelmail | 20:24 |
HelloWorld321 | that's right. Thanks! | 20:24 |
HelloWorld321 | This was driving me nuts! | 20:24 |
imrook | sshguard is also an easy and effective solution to prevent hammering on 22. | 20:24 |
HelloWorld321 | For http, I would suppose I only need TCP open, not UDP? | 20:27 |
HelloWorld321 | Thanks qman__, imrook, RoyK. I was totally stuck on that. | 20:29 |
qman__ | HelloWorld321, for all of the above, only TCP is needed | 20:30 |
HelloWorld321 | I'ma secure my ssh in all the ways you've said: disable password authentication, fail2ban, and sshguard. | 20:32 |
HelloWorld321 | fail2ban was already installed and auto-configured. I've poked abuot that documentation, and don't understand a word, from which I'll infer that the default configuration is reasonable? | 20:41 |
HelloWorld321 | I've installed sshguard 1.5-4 from the package, and the developer site says that post 1.5 there is zero configuration. Is that correct? | 20:55 |
imrook | If you're just protecting sshd, then yes | 20:55 |
imrook | Aside from the bug I reported that hasn't been closed yet | 20:55 |
imrook | Having the string 'ssh' in your hostname causes the regex to fail and sshguard will not properly detect failed login attempts | 20:56 |
HelloWorld321 | bummer. k. that won't be a problem for my hostname | 20:56 |
sarnold | imrook: hah :) | 20:58 |
HelloWorld321 | I now beleive I have my port 22 open, sshguard & fail2ban installed, and password authentication turned off for ssh at 98.148.120.187. Care to verify? | 21:29 |
sarnold | HelloWorld321: Permission denied (publickey). | 21:30 |
sarnold | no password prompt. woot. | 21:30 |
HelloWorld321 | That's good, right? Yay, I did it. Thanks. That's pretty cool. | 21:31 |
HelloWorld321 | Now I can run around opening other ports | 21:31 |
HelloWorld321 | I tell ya: it was driving me NUTS! | 21:31 |
HelloWorld321 | I totally thought I had a bum router | 21:32 |
sarnold | :) | 21:33 |
dsmythies | Hello, I am not normally on IRC, and am actually somewhat IRC challenged, but there is an issue I was hoping to get help with. | 22:31 |
dsmythies | . | 22:31 |
dsmythies | The computer is an Ubuntu Server 12.04 LTS with no GUI. To install a virtual machine (a ubuntu 12.04 server again) I am following the Ubuntu Serverguide Virtualization chapter, sub-section 1 Libvirt. | 22:31 |
dsmythies | The problem is that I can not figure how to complete a virtual machine installation, without either a GUI or a 2nd computer with a VNC viewer client. | 22:31 |
dsmythies | The serverguide sub-chapter mentions both virt-manager and virt-viewer, but both require a GUI. | 22:31 |
dsmythies | I finally figured out that I could use another computer with both a GUI and a VNC viewer client, if I used this command: | 22:31 |
dsmythies | . | 22:31 |
dsmythies | sudo virt-install -n virt32_01 -r 128 --disk path=/var/lib/libvirt/images/virt32_01.img,bus=virtio,size=12 -c ubuntu-12.04.2-server-i386.iso --accelerate --network network=default,model=virtio --connect=qemu:///system --graphics vnc,listen=0.0.0.0 --noautoconsole -v | 22:31 |
dsmythies | . | 22:32 |
sarnold | dsmythies: (please don't use . to try to add paragraphing to irc :) | 22:32 |
dsmythies | The important part of the command being: "--graphics vnc,listen=0.0.0.0" | 22:32 |
dsmythies | . | 22:32 |
dsmythies | My question: Is there a (Libvirt) way on a non-GUI server without involving other computers? | 22:32 |
dsmythies | . | 22:32 |
dsmythies | References: | 22:32 |
dsmythies | https://help.ubuntu.com/12.10/serverguide/libvirt.html | 22:32 |
dsmythies | https://bugs.launchpad.net/serverguide/+bug/1129649 | 22:32 |
uvirtbot | Launchpad bug 1129649 in serverguide "Chapter 20 - Subsection 1 - Virtualization - Libvirt needs updating" [Undecided,In progress] | 22:32 |
dsmythies | http://ubuntuforums.org/showthread.php?t=2116415 | 22:33 |
dsmythies | . | 22:33 |
sarnold | dsmythies: have you tried leaving off the --graphics command line option? | 22:33 |
sarnold | dsmythies: I use the 'uvt' wrapper to build, snapshot, and revert VMs, no VNC required: https://wiki.ubuntu.com/SecurityTeam/TestingEnvironment | 22:33 |
sarnold | dsmythies: .. though it is Yet Another Tool to configure. | 22:33 |
dsmythies | If I leave off the --graphics line, then I am unable to connec to anything. | 22:34 |
dsmythies | I do not know of "uvt", but will look into it. Right now I am specifically trying to use virt-install... | 22:34 |
dsmythies | In the end, I hope to edit the serverguide itself with better emphasis on a non-GUI server. | 22:35 |
sarnold | dsmythies: uvt doesn't do anything that you couldn't otherwise do, but it does make it easy to ignore the virt-* details :D | 22:35 |
dsmythies | Before the --graphics stuff, this is the command I was trying: | 22:39 |
dsmythies | sudo virt-install -n virt32_01 -r 128 --disk path=/var/lib/libvirt/images/virt32_01.img,bus=virtio,size=12 -c ubuntu-12.04.2-server-i386.iso --accelerate --network network=default,model=virtio -v | 22:39 |
luminous | hello! what is the ubuntu solution to easily encrypting/decrypting a directory | 23:24 |
luminous | similar to truecrypt, but not tc | 23:24 |
sarnold | luminous: ecryptfs if you just want directories; dm-crypt on an entire block device if you want everything... | 23:25 |
luminous | the fuse encfs? | 23:25 |
luminous | sarnold: ^^ | 23:26 |
tyhicks | luminous: ecryptfs and encfs are similar | 23:27 |
tyhicks | luminous: you get to choose :) | 23:27 |
luminous | but not the same | 23:27 |
tyhicks | no, different implementation | 23:27 |
luminous | interesting.. i will need to read more | 23:27 |
tyhicks | ecryptfs is an in-kernel filesystem, encfs is fuse based | 23:27 |
luminous | great! | 23:28 |
* luminous does not like fuse | 23:28 | |
tyhicks | ecryptfs will get you a little better performance, encfs probably has more knobs and features (but I haven't looked at it in a while) | 23:28 |
luminous | ll i need is to be able to do is copy/store a git repo and some files | 23:29 |
luminous | to confirm, encryptfs requires one to decrypt, edit/update/read, then encrypt, w/ encryption/decryption initiated manually - correct? | 23:30 |
tyhicks | luminous: no, it does it all transparently | 23:30 |
sarnold | luminous: ecryptfs is intended to be transparent -- once mouted, the decryption and encryption happen for you | 23:31 |
tyhicks | luminous: it is a stacked filesystem that goes on top of your existing local filesystem | 23:31 |
luminous | or, said another way... if in use, it is readable to all / like a normal directory | 23:31 |
luminous | it has to be unmounted to be 'protected' | 23:31 |
patdk-lap | once unlocked it's usable by the whole system, yes | 23:31 |
luminous | k, good to know, ty | 23:31 |
tyhicks | luminous: yes... it is close enough to be considered a posix compliant filesystem | 23:31 |
sarnold | luminous: if you're instead wanting git to store remote repositories encrypted, there's a tool for that specifically under development: https://github.com/blake2-ppc/git-remote-gcrypt | 23:33 |
luminous | that's cool | 23:33 |
luminous | i'll check it out, though i do want to feel reasonably confident in the setup | 23:34 |
sarnold | no doubt ecryptfs has seen more development time and more peer review :) | 23:34 |
luminous | yea | 23:35 |
luminous | thanks for your input! | 23:38 |
luminous | it is apprecited | 23:38 |
sarnold | have fun :) | 23:38 |
luminous | oh, and if interested in this stuff.. have a peek at crypton.io | 23:39 |
sarnold | nice :) | 23:40 |
luminous | yea :) still early, but very promising | 23:40 |
luminous | and backed by spideroak.com | 23:40 |
=== wedgwood is now known as wedgwood_away |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!