[00:00] <qman__> I think I'm running into bug 633392
[00:00] <qman__> unfortunately it went unresolved
[00:00] <qman__> I'll try unbonding and see if it solves the problem
[00:05] <qman__> yep, it did
[00:05] <qman__> so I guess bonding + bridging + kvm is broken
[00:06] <patdk-lap> can't say I ever joined bonding + bridging
[00:06] <qman__> bonding + bridging works great on the host OS
[00:07] <qman__> it just breaks stuff with the KVM guests
[00:07] <qman__> not sure where the fault is
[00:07] <patdk-lap> bonding and bridging on the host and normal nic on kvm guest?
[00:07] <qman__> yes
[00:07] <qman__> both normal nic and a guest with a bridge
[00:08] <qman__> same thing happens to both guests
[00:08] <patdk-lap> and firewall rules on the host?
[00:08] <qman__> accept all
[00:09] <qman__> it just has the normal KVM stuff
[00:09] <qman__> or libvirt
[00:09] <qman__> or whatever puts it in there
[00:09] <patdk-lap> just thinking :) I normally put a firewall on the host
[00:09] <qman__> yeah, this is all externally secured
[00:10] <RoyK> bonding on the host, not the guest?
[00:10] <qman__> yes
[00:10] <RoyK> what sort of bonding?
[00:11] <qman__> balance-rr
[00:11] <qman__> I don't have smart hardware
[00:11] <qman__> unmanaged switch, two different types of NIC
[00:11] <RoyK> bonding to a single switch?
[00:11] <qman__> yes
[00:12] <RoyK> then why not LACP?
[00:12] <RoyK> should work well
[00:12] <RoyK> perhaps not to a dumb switch, though
[00:13] <qman__> yeah, I don't think I can
[00:13] <qman__> I just wanted to try and squeeze some more bandwidth out of it
[00:13] <qman__> it's not critical, just annoying that it's broken
[00:13] <RoyK> get a good switch
[00:13] <RoyK> well, file a bug report
[00:14] <RoyK> if enough users/developers think it's a problem, it'll be solved
[00:26] <MraAlbertina> hi. could you please help me sonve this issue; "perl: warning: Setting locale failed." Pastebin: http://pastebin.com/p3N17prX
[00:27] <MraAlbertina> sonve/solve..
[00:28] <sarnold> MraAlbertina: 'locale -a' will show you the installed locales on your system
[00:28] <sarnold> MraAlbertina: I guess one of your locale variables there is not one of the legal values reported by locale -a
[00:29] <MraAlbertina> wow... i need to discover where that is
[00:30] <MraAlbertina> sarnold: i have a C and C.UTF-8 after 'locale -a' everything else seems ok (all en_**.utf8)
[00:31] <MraAlbertina> i have no clue where that C is coming from. might that be the problem?
[00:32] <sarnold> MraAlbertina: "C" is the safe fallback :)
[00:32] <MraAlbertina> oh
[00:32] <MraAlbertina> oh, another entry i have is POSIX, besides that C and all en*
[00:35] <MraAlbertina> is it possible to reconfigure locale, in a quick fix, sarnold ?
[00:35] <qman__> pretty sure this one is the problem: LC_ALL = (unset),
[00:36] <MraAlbertina> because everything seems ok, with locale -a
[00:36] <qman__> there's a dpkg-reconfigure you can do to set the locale
[00:36] <qman__> I can't remember which package though
[00:37] <MraAlbertina> i saw that LC_ALL = (unset) somewhere
[00:37] <qman__> related: http://ubuntuforums.org/showthread.php?t=1720356
[00:37] <qman__> shows three methods to fix, in the order you should try them
[00:37] <MraAlbertina> oh, ya, on the first "warning" i got, in the pastebin
[00:38] <MraAlbertina> LC_ALL = (unset),
[00:38] <MraAlbertina> okay, thanks so much qman__
[00:39] <MraAlbertina> thanks sarnold
[00:39] <sarnold> MraAlbertina: what fixed it? :)
[00:40] <MraAlbertina> going for a reboot after editing /etc/environment  and i'll tell you :)
[00:44] <MraAlbertina> sarnold: adding: LC_ALL="en_GB.utf8" -to- /etc/environment and rebooting solved it
[00:44] <sarnold> MraAlbertina: excellent :) thanks
[00:44] <MraAlbertina> thanks for discovering that qman__
[01:10] <patdk-lap> isn't bond-mode balance-tlb going be better than balance-rr?
[01:10] <patdk-lap> balance-rr when using a single switch, can cause out of order packets
[01:10] <patdk-lap> that might be your issue
[01:12] <patdk-lap> the other one, balance-a?? can cause issues with devices that depend on the mac being static (cable modems, some switchs management interface, basically anything using mac for a security cookie)
[01:12] <sarnold> qman__: ^^^
[01:12] <qman__> while that's possible I don't think it's the problem at hand, when watching a tcpdump, the arp requests go through the bridge and get back to my host, but simply don't get to the guests, most of the time
[01:13] <qman__> and the host has no issues at all communicating with the rest of the network over the bridge on the bond
[01:14] <patdk-lap> ya, I imagine the balance-rr issue will be more if you load the interfaces up good
[01:14] <patdk-lap> I believe I have seen that arp issue before
[01:14] <patdk-lap> but it's been awhile
[01:15] <qman__> likewise, real hosts on the LAN can reach the guests just fine, it only applies to the guests trying to initiate
[01:16] <patdk-lap> I've defently seen that before
[01:16] <patdk-lap> but totally can't remember what it was
[01:16] <patdk-lap> I don't use kvm, but used to use xen with bridges like that
[01:40] <autoditac> hey everyone. is this the right channel to ask questions regarding nfs on ubuntu?
[01:41] <autoditac> i' d be glad if someone could give me a hint regarding posix acls and nfs4 on ubuntu.
[01:44] <autoditac> question is: will posix acls be applied if i access a ext3 filesystem with heavy usage of acls using nfs 4 without using kerberos? i have the same userbase both on the client and the server (LDAP)
[01:44] <xnox> yes, but they will be able to bypass it, if they have root on the client.
[01:45] <autoditac> hi, xnox :)
[01:46] <autoditac> xnox, users don't have root access on the client. furthermore, no_root_squash is not set
[01:48] <autoditac> i was just wondering if the nfs4 acls and posix_acls map and if the acls get enforced on the server or on the client side?
[01:50] <patdk-lap> enforced on the client
[02:02] <buengenio> guys, can somebody please recommend a shared calendar server/service?
[02:02] <patdk-lap> gmail?
[02:02] <resno> buengenio: google calendar?
[02:02]  * resno highfives patdk-lap 
[02:03] <patdk-lap> just dunno what a shared calendar server/service is
[02:03] <patdk-lap> like a community calendar? a wordpress plugin?
[02:03] <buengenio> no, like a caldav
[02:03] <patdk-lap> or like exchange/outlook? a webmail thing?
[02:03] <patdk-lap> isn't caldav a protocol?
[02:03] <buengenio> exchange/outlook type of thing but that can work with Outlook/Thunderbird/Mail, etc....
[02:03] <patdk-lap> heh?
[02:04] <sarnold> good luck with outlook :/
[02:04] <patdk-lap> outlook does it's own thing
[02:04] <holstein> you can use google cal with those
[02:04] <buengenio> I'd love to say that to our boss
[02:04] <patdk-lap> and last I knew thunderbird and that doesn't support calanders
[02:04] <resno> im still suggest google calendar
[02:04] <patdk-lap> buengenio, install exchange
[02:04] <buengenio> no thank
[02:04] <buengenio> no thanks
[02:04] <resno> can you even install exchange in linux?
[02:04] <sarnold> buengenio: iirc there's a horrible plugin thingy for outlook to make google calendars work there. I'm sure they did their best, but I don'tthink outlook was meant to have plugins. so.
[02:04] <buengenio> but boss is sticking with Outlook till dies irae
[02:05] <patdk-lap> I run exchange 2010 currently, not a big deal
[02:05] <patdk-lap> buengenio, next best thing, outlook365 :)
[02:05] <buengenio> isn't there something OSS?
[02:05] <buengenio> standards based
[02:05] <buengenio> that works everywhere?
[02:05] <patdk-lap> there are standards?
[02:06] <sarnold> buengenio: it's the "works everywhere" that fails, outlook doesn't want to play that game.
[02:06] <patdk-lap> outlook has no standards, atleast till outlook 2013, then it can use activesync
[02:06] <sarnold> buengenio: and iirc nothing else really speaks exchange
[02:06] <sarnold> (client-side)
[02:06] <holstein> owncloud
[02:06] <patdk-lap> I guess you could install horde webmail, setup activesync, then use outlook2013
[02:06] <patdk-lap> I have not *tested* that though
[02:07] <resno> theres zimbra
[02:07] <resno> zimbra the paid versoin speaks it
[02:07] <patdk-lap> there is always openchange
[02:07] <patdk-lap> no idea how well that works
[02:07] <sarnold> buengenio: I've heard good things about http://en.wikipedia.org/wiki/Open-Xchange but never used it myself
[02:11] <shauno> I'd be wary of google calendar, their caldav access is on the chopping board
[02:12] <buengenio> Their biggest problem is that adding event invitations sent to a non GMail address doesn't work
[02:12] <buengenio> At least in Thunderbird
[02:12] <patdk-lap> heh?
[02:12] <buengenio> which is what almost everyone uses at the office
[02:17] <resno> if you had users comfortable with ftp, how would you allow them to upload their files?
[02:18] <resno> whats a resonable alternative or a secure ftp server?
[02:19] <sarnold> resno: I'd get them comfortable with sftp right quick.
[02:19] <patdk-lap> there is no difference between ftp and sftp these days to a user
[02:20] <sarnold> except no more baffling image vs text or pasv vs active :)
[02:20] <patdk-lap> hmm, most programs hide that too :)
[02:20] <patdk-lap> just when it won't work, do you have to deal with it :)
[02:21] <sarnold> :D
[02:21] <patdk-lap> like my friends router that messed up active ftp :)
[02:21] <resno> is sftp that much improved over ftp?
[02:22] <patdk-lap> resno, yes and no
[02:22] <resno> im sure the "s" brings secure, but is it night and day
[02:22] <patdk-lap> personally I hate sftp
[02:22] <resno> i hate s/ftp
[02:22] <patdk-lap> but it uses a single connection, unlike ftp, fixing nat issues
[02:22] <patdk-lap> and it uses ssh
[02:22] <patdk-lap> so it just works better :)
[02:22] <resno> oh?
[02:23] <resno> so, i wouldnt need an ftp server?
[02:23] <patdk-lap> depends
[02:23] <patdk-lap> most ftp servers these days support sftp too
[02:23] <resno> you give me hope and then snatch it away
[02:23] <patdk-lap> but give you more control than ssh will give you for sftp
[02:23] <patdk-lap> all depends on what goal you have
[02:24] <patdk-lap> use ssh for both
[02:24] <patdk-lap> or use like proftpd for sftp
[02:24] <patdk-lap> I think pure-ftp does it too now, but haven't checked
[02:24] <resno> theres 3 main ftp servers right?
[02:24] <patdk-lap> what is *main*?
[02:26] <resno> uhm
[02:26] <resno> ill look into proftpd
[02:26] <resno> ive managed to avoid ftp being installed, so i want to make sure its all good and secure
[02:27] <patdk-lap> there is one issue with that :)
[02:27] <patdk-lap> you can't have both proftpd and ssh both listening on port 22 (I believe, maybe they did a passthough thing?)
[02:27] <patdk-lap> so you would have to move normal ssh to another port
[02:28] <resno> you cant have proftpd listen on another port as well?
[02:28] <resno> seems like a reciepe for disater
[02:28] <patdk-lap> if you have it listen on another port, it will confuse users
[02:28] <patdk-lap> when they use the default port :)
[02:28] <sarnold> man, i'd so much rather just rely on sshd to do sftp rather than get one of the ftpd servers involved.
[02:29] <patdk-lap> sarnold, like I said it depends :)
[02:29] <patdk-lap> the ftp server has more control, than ssh gives you per user
[02:29] <patdk-lap> and personally, I love file upload notifications
[02:29] <patdk-lap> so I can realtime scan and check files people upload
[02:30] <resno> patdk-lap: do you do that even for trusted users? ie) coworkers
[02:30] <sarnold> something that'd be annoying to put together with imcron and sshd over a few thousand users :)
[02:30] <resno> i dont know your enviroment
[02:30] <patdk-lap> trusted users? those exist?
[02:30] <patdk-lap> anyones account could be compromised
[02:30] <resno> true
[02:30] <resno> hmm, i didnt think of that actually
[09:36] <jamespage> yolanda_, https://code.launchpad.net/~james-page/python-quantumclient/grizzly-2.2.0/+merge/153512
[09:36] <jamespage> when you get a chance please :-)
[09:36] <yolanda_> jamespage, meeting
[09:37] <jamespage> yolanda_, (I know :-))
[09:54] <nailora> sarnold: i found this https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1008400
[10:00] <yolanda_> jamespage, i'm looking the code at the diff, i see that in changelog * debian/control: Set version minimum for python-cliff (>= 1.3.1).
[10:00] <yolanda_> but i don't see that reflected in the diff, is that from a previous commit?
[10:21] <jamespage> yolanda_, yeah - it needed a tweak in the changelog to drop the ~
[10:21] <jamespage> as changelog and change did not actually match
[10:22] <yolanda_> approved it
[11:39] <jamespage> bug 1155556
[11:45] <jamespage> adam_g, reviewed and uploaded to folsom CA
[11:45] <jamespage> adam_g, I swept that and the django fix through to -updates
[12:15] <smoser> roaksoax, jamespage woot, isc-dhcp in raring with our no maas no-uuid patch.
[12:15] <smoser> er.. what ever that patch was. thansk to stgraber
[12:15] <jamespage> smoser, great!
[12:43] <roaksoax> smoser: nice!!
[12:44] <smoser> roso i guess actualy, in raring you should modify maas to use that.
[12:44] <smoser> in its default config.
[13:02] <zetheroo> got a couple ubuntu servers both running 12.04.2 here  ... one looks like this when logged in "[root@mars ~]#" while the other looks like this "root@saturn:~#" ... why does mars have those brackets ?
[13:03] <patdk-wk> probably cause of the shell your using
[13:04] <zetheroo> I am accessing them both through the same terminal via ssh ...
[13:07] <zetheroo> all servers are using bash shell
[13:08] <zetheroo> weird ... I closed the saturn session and reopened it and now saturn has those brackets ... [root@saturn ~]#
[13:26] <jamespage> adam_g, http://people.canonical.com/~jamespage/ca-updates/
[13:26] <jamespage> quantumclient and new version of python-django-compressor for horizon
[13:33] <crankharder> what is it about this builder command that I can't ssh or telnet into the host once it's built & started?  https://gist.github.com/crankharder/c0063a365996f90b170c
[13:39] <ttx> jamespage: cinder milestone-proposed cut
[13:39] <jamespage> ttx, ta
[13:39]  * jamespage switches configs
[13:51] <soren> Daviey: There's a question for you(r team) in my post to the tb mailing list earlier today. Would you mind (having one of your minions) taking a look?
[13:57] <Daviey> soren: I am the minion to the cretins. :)
[13:59] <soren> Daviey: That's the spirit.
[13:59] <Daviey> soren: I'll reply to that.. just not right now. Thanks for raising it
[13:59] <soren> Daviey: By extension, is... err.. Rick Spencer  your minion?
[14:00] <Daviey> soren: The higher you go, the least important you become.. so yes :)
[14:01] <Daviey> I say jump. and he says,
[14:01] <Daviey> "your're fired"
[14:05] <pmatulis> hmph, on quantal (at least) i see that 'deluser --remove-home' does not remove the home directory, just the files
[14:12] <Croves> Hello guys! I'm trying to install Ubuntu Server 12.04 i386 on a XenServer Virtual Machine, but when I try to install the sistem, I get this error: "Your installation CD-ROM couldn't be mounted. This probably means that the CD-ROM was not in the drive. "
[14:12] <Croves> Any idea?
[14:18] <saki`> hi ho
[14:18] <saki`> i was wondering
[14:18] <saki`> if i could run an ubuntu server OS off a live usb?
[14:21] <melmoth> saki`, http://en.wikipedia.org/wiki/Ubuntu_Live_USB_creator
[14:23] <crankharder> what is it about this builder command that I can't ssh or telnet into the host once it's built & started?  https://gist.github.com/crankharder/c0063a365996f90b170c
[14:23] <Croves> Anyone here is familiar with XenServer?
[14:29] <saki`> thanks melmoth
[14:29] <saki`> maybe i should mention
[14:29] <saki`> i'm going to be trying to run this off it: http://www.sourcefabric.org/en/airtime/download/
[14:31] <melmoth> saki`, the usb creator thingy let you have a "stat" in your live usb system. wich means, any change you make, will be there after a reboot.
[14:31] <melmoth> so you can apt-get install or compile stuff you need, and they will be available on the usb stick.
[14:31] <melmoth> all you need is... space on the key.
[14:32] <saki`> okay cool, so a persistent install or whatever yeah?
[14:32] <saki`> thanks melmoth.
[14:32] <melmoth> indeed.
[14:32] <melmoth> when you create the key, you have an option about "casper", that s the persistant stuff
[14:33] <melmoth> basically, it ask you how much space you want to allocate to the persitsant storage (if i understand correctly)
[14:33] <saki`> ah ok
[14:33] <melmoth> i dont kow the details, i just know it "just worked" last time i needed it
[14:34] <saki`> hmm this seems to require me to compile it somewhere. if this works let me try and use a windows based installer instead.
[14:34] <saki`> as in, if it works anyway
[14:38] <saki`> you wouldn't happen to know of one would you melmoth? the only one i know of is YUMI, and that's for multiboot stuff
[14:39] <melmoth> nope, sorry.
[14:40] <saki`> ah no worries
[14:40] <saki`> found one
[14:45] <zetheroo> in trying to setup glusterfs here I am running into this message and cannot seem to find a fix that works for me:  /mnt/gluster or a prefix of it is already part of a volume
[15:33] <hrenovo> so to add a rule with ufw I do something like this "ufw allow 8080" , now how can I delete this rule from showint up in "ufw status" ?
[15:33] <jpds> hrenovo: That's... not suppose to be done?
[15:34] <jpds> Why would you add a rule, then hide its existance?
[15:34] <hrenovo> if I no longer need it
[15:34] <hrenovo> not hide, just get rid of it
[15:34] <hrenovo> i gigured it out
[15:34] <hrenovo> its ufw delete allow 8080
[15:34] <hrenovo> like that
[15:38] <jpds> hrenovo: Ah, right. :)
[16:45] <fabiofranco> something weird is happening with my tomcat7 and mysql server. when I add firewall rules with iptables to open the port 8080 and 3306 and add the last rule dropping everything else the communication between tomcat7 and mysql just stops... any thoughts?
[16:57] <patdk-wk> fabiofranco, thoughts without seeing the rules?
[16:58] <fabiofranco> sure, I add: iptables -A INPUT -j ACCEPT -p tcp --dport 8080, iptables -A INPUT -j ACCEPT -p tcp --dport 3306 and finally iptables -A INPUT -j DROP -p tcp
[16:59] <fabiofranco> just those three... and after I add the last one the communication stops immediately
[16:59] <fabiofranco> I add the one open ssh too of course
[16:59] <qman__> you need to add rules to allow all traffic on the loopback interface
[17:00] <fabiofranco> qman__ example pls?
[17:00] <adam_g> jamespage, those 2 new CA updates LGTM
[17:01] <qman__> iptables -A INPUT -i lo -j ACCEPT
[17:01] <qman__> iptables -A OUTPUT -o lo -j ACCEPT
[17:02] <fabiofranco> qman__ i see.. gonna give a try
[17:03] <qman__> also, it's conventional to put the -j at the end of each line
[17:03] <qman__> not sure if it affects the rules
[17:04] <qman__> but if it does, your last rule could mean iptables -A INPUT -j DROP, which would certainly not be great
[17:04] <qman__> also, do you have rules for established traffic?
[17:04] <qman__> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[17:05] <fabiofranco> no, I dont
[17:05] <qman__> you definitely need that too
[17:05] <fabiofranco> gonna apply it right now
[17:07] <jamespage> adam_g, great - ta
[17:10] <fabiofranco> qman__ do you think the last rule should be iptables -A INPUT -j DROP?
[17:12] <qman__> it can but that will break all icmp and udp traffic
[17:12] <qman__> so if you want any of either, make sure you allow it first
[17:13] <fabiofranco> qman__ I see... gonna try it
[17:17] <fabiofranco> qman__ it worked... thanks a lot
[17:24] <jamespage> adam_g, that horizon oddness with firefox is fixed with the new version of django-compressor
[17:25] <adam_g> jamespage, great
[17:25] <adam_g> jamespage, which projects are we waiting on for RC1?
[17:25] <jamespage> adam_g, most of them
[17:26] <adam_g> ah
[17:26] <jamespage> quantum and cinder have released rc1's
[17:26] <jamespage> I started on quantum
[17:27] <jamespage> but noticed the watch file does not work that well and got distracted....
[17:34] <jamespage> adam_g, MP for quantum rc - https://code.launchpad.net/~james-page/quantum/grizzly-rc1/+merge/153606
[17:35] <adam_g> jamespage, nice.
[17:35] <jamespage> adam_g, I think all the required deps are in the grizzly-staging PPA now
[17:35] <jamespage> there are a few catchups outstanding but nothing critical.
[17:36] <adam_g> jamespage, when i got online, saw a precise+grizzly test had just failed on volume creation. hope its something transient. :)
[17:36] <jamespage> adam_g, hmm - worked a few minutes ago - I'll try again
[17:37] <jamespage> adam_g, btw I'm working on a tool to make backporting easier
[17:38] <jamespage> ca-backport-package 'os_series' 'package' 'Comment for Changelog'
[17:38] <adam_g> jamespage, hah
[17:38] <jamespage> hopefully it will mean the only thing you can get wrong is the changelog comment :-)
[17:38] <adam_g> jamespage,  i just did this yesterday http://paste.ubuntu.com/5617160/
[17:39] <jamespage> adam_g, lol
[17:39] <jamespage> great minds and all that
[17:39] <jamespage> we should consolidate stuff
[17:39] <jamespage> mines a bit more hacky write now
[17:39] <adam_g> jamespage, yeah, what are your thoughts on making this automated, in response to the version_drift failing?
[17:40] <jamespage> adam_g, I'd be up for that - I implemented the changes we discussed in the CA archive admin tooling to help support that today
[17:40] <jamespage> ca admins now get the change details so can choose to ignore things.
[17:41] <adam_g> jamespage, where do you envision the bot pushing the auto-built backports? straight to the staging PPA or somewhere for a human to do that?
[17:41] <jamespage> adam_g, cinder looks OK to me - http://paste.ubuntu.com/5617170/
[17:41] <jamespage> adam_g, I think step one would be to put it somewhere for a human to review, sign and upload
[17:42] <jamespage> adam_g, but so long as that proves reliable then full automation ++
[17:42] <adam_g> jamespage, thats what i was thinking. a staging-staging-PPA so we can ensure builds, as well
[17:43] <adam_g> need to step away. back in 10
[17:43] <jamespage> adam_g, yeah - one that inherits of the staging PPA would be neat
[17:44] <jamespage> hmm - that give me a thought
[17:44] <jamespage> we could just write a tool that pulls stuff from there, signs the packages and uploads them to the true staging PPA
[17:45] <jamespage> actually thats almost an extension of the tool I already wrote for syncs staging->proposed->updates
[17:47] <jamespage> adam_g, other thing I have been doing is switching the build configs from master -> milestone-proposed as the branches are cut
[17:48] <jamespage> done for cinder and quantum - ttx has been good at pinging me when that has happened
[17:50] <jamespage> adam_g, if you agree with the approach I took in the mysql charm re openstack-charm-helpers I'll add that to tha ha-helpers branch, re-sync swift-proxy and start working on keystone on monday
[17:51] <jamespage> I guess the unison helper could live in charm-helpers as well.
[17:51] <jamespage> And then we can write some unit tests.
[17:51] <jamespage> w00t
[18:04] <adam_g> jamespage, +1 to all that. do the branches that have a milestone-proposed also have havana version bump in master?
[18:04] <jamespage> adam_g, yes
[18:04] <jamespage> but due to the way we override the OSLO version number in the lab we don't get busted by that
[18:04] <jamespage> i.e. the release created is always 2013.1
[18:05] <jamespage> adam_g, OK - I have to go now
[18:05] <jamespage> adam_g, weekend and all that - I will check back in a bit later +3 hr
[18:05] <jamespage> ttfn
[18:05] <adam_g> jamespage, k, looking at the mysql stuff now. after we merge that i'll sync the helpers branch with those changes + anything else still pending
[18:06] <jamespage> adam_g, ahead of you - lp:~james-page/openstack-charm-helpers/ha-python-updates
[18:06] <jamespage> feel free to merge - I added headers over the mysql versions to tell people its part of openstack-charm-helpers
[18:06] <adam_g> doh! :)
[18:35] <HelloWorld321> I'm looking at a resolved help-forum post that seems similar to my problem (http://boards.portforward.com/viewtopic.php?f=3&t=9910&sid=201967eaaef5c2335ed22ea5a811c5d3&start=10) and I don't know what the poster means in his resolution: "I noticed that the net:bind_ip in utorrent was set to a different internal IP address than the static one assigned my computer, so I just cleared this, so the field was blank.".  I'm not 
[18:35] <HelloWorld321> What is net:bind_ip?
[18:37] <sarnold> HelloWorld321: you were cut off at "I'm not"
[18:37] <sw> HelloWorld321: net:bind_ip is the IP address that it binds too. from their website: net.bind_ip: If your computer setup requires that you use a specific LAN adapter for incoming connections, you may specify that adapter's IP address here.
[18:37] <sarnold> HelloWorld321: when a program listens on a socket, it binds a socket to a port on an IP
[18:39] <sarnold> HelloWorld321: the usual interface is, if no IP address is specified, bind that port on _all_ IPs the machine uses. If an IP is specified, then bind only on that IP, so other IPs on the machine don't expose the service -- or can run a different service.
[18:53] <HelloWorld321> thanks.  so I can find that in netstat?
[18:53] <HelloWorld321> (cut off at "I'm not"):  ... using utorrent, I'm trying to set up an ftp as a proof-of-concept, since I figure ftp is pretty standard (maybe a little too standard: I'll disable it for security once I figure out what's going on with my router), ...
[18:54] <HelloWorld321> but I don't know what the net:bind_ip is or where to clear it
[18:55] <sarnold> HelloWorld321: yikes, ftp is a pain in the butt all around :) active vs passive connections is extremely irritating.
[18:55] <HelloWorld321> I was supposiung that it would be easy, because it was so old and so standard
[18:55] <HelloWorld321> (afk4lunch!)
[19:28] <HelloWorld321> bak
[19:28] <HelloWorld321> I'm able to hit the ftp server from inside the network, so I suppose that the hsot is set up properly
[19:30] <hrenovo> hi. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[19:30] <hrenovo> I have this rule added in iptables
[19:30] <hrenovo> is there a way to add it in ufw ?
[19:30] <hrenovo> if I enable ufw this rule is blocked
[19:46] <HelloWorld321> My system is listening for ftp on all ip addresses (http://pastebin.com/WjhZtzTX) and I'm having no trouble reaching the ftp server from inside my network, so I believe that my original question about checking/clearing net:bind_ip is not really the issue.  Is that correct?
[19:52] <qman__> HelloWorld321, that is correct
[19:53] <qman__> FTP is ancient and poorly designed, and does not play well with NAT
[19:53] <qman__> http://mywiki.wooledge.org/FtpMustDie for more information
[19:53] <qman__> the short if it is, don't use FTP, SFTP is in all ways superior and you probably already have it
[19:56] <Pici> Also ,don't confuse FTPS is not SFTP
[19:56] <Pici> Also ,don't confuse FTPS with SFTP
[19:56]  * Pici confuses himself sometimes
[19:56] <Pici> er, not with that, with typing the right thing.
[19:58] <HelloWorld321> okay, I'll take that into account.  But for now, my point isn't actually to set up an FTP server., it's to set up my router.  I just want to hit anything inside my network from the world IP address.
[19:58] <qman__> HelloWorld321, FTP is the worst possible protocol to test that with
[19:59] <qman__> becuase FTP specifically will not work over a NAT without lots of hacking
[19:59] <HelloWorld321> I used to run a Ventrilo server, but I had to stop when I got a different router, so now all my gamer friends are bummed.
[19:59] <HelloWorld321> okay, what's the simplest application to test that with?
[19:59] <qman__> http or ssh
[20:00] <HelloWorld321> okay.  I have apache running on that same box.
[20:00] <HelloWorld321> I'll go open those ports and try that.
[20:01] <HelloWorld321> http is port 80, right?
[20:01] <qman__> yes
[20:01] <qman__> bear in mind that if you have a residential ISP, they may block it
[20:01] <qman__> many block 25, 80, and 443
[20:01] <HelloWorld321> I've thought of that.  I asked the support desk.  They said they didn't.  But they also sounded like they didn't know what "ports" are
[20:02] <HelloWorld321> and yes, this is on a residential ISP.
[20:02] <qman__> I've never seen one that blocks 22 though
[20:03] <qman__> and you can always try forwarding a high port, like 8080 -> 80
[20:03] <imrook> I'm trying to build the php5_5.3.10-1ubuntu3.6 source package, but getting "debian/setup-mysql.sh: 44: debian/setup-mysql.sh: USER: parameter not set" during test-results.txt
[20:03] <HelloWorld321> is 22 sftp?
[20:03] <qman__> ssh/sftp
[20:03] <imrook> This was fixed back in 3.3 http://irclogs.ubuntu.com/2012/12/21/%23ubuntu-server.html
[20:03] <imrook> Is this a known regression?
[20:04] <HelloWorld321> okay, 80 doesn't work with this configuration.
[20:05] <RoyK> HelloWorld321: setup ssh and tell us the ip address - unless you have a very bad password, it should be safe to post the address for some of us to test. if you have a bad password, your box will be compromised in hours anyway
[20:05] <HelloWorld321> I have just tried to sftp localhost, and ssh to the internal ip, so sftp is setup.  My outside ip address is 98.148.120.187
[20:06] <HelloWorld321> o:
[20:06] <HelloWorld321> but I haven't opened that port yet: 22
[20:06] <RoyK> hehe
[20:06] <qman__> yeah, it's being dropped
[20:08] <HelloWorld321> okay, I think I've opened that port.
[20:09] <HelloWorld321> But I also think that that's my problem.  I'm not setting up the router properly.
[20:09] <qman__> I got a response
[20:09] <qman__> it's open
[20:09] <HelloWorld321> you see me?  freaky!  yay!
[20:09] <HelloWorld321> can you guess my password?  :P
[20:09] <qman__> The authenticity of host '98.148.120.187 (98.148.120.187)' can't be established.
[20:09] <qman__> RSA key fingerprint is 86:6a:1b:00:03:2c:85:bd:6e:2e:dc:31:50:47:6a:2a.
[20:10] <qman__> so, that part of it works
[20:10] <HelloWorld321> Hm.
[20:11] <qman__> you can check if your software is listening correctly by doing `netstat -lanp | grep $port`
[20:11] <HelloWorld321> That's not the same figerprint I'm seeing
[20:16] <HelloWorld321> I can hit ssh & sftp at localhost, but I can't hit them from the external ip I just gave you.  Would you mind hitting it one more time, tell me, then I'll disable it, and see if it stopped.  Just to make sure that it's me
[20:18] <hallyn> jamespage: please do let me know if/when tests confirm the /dev/kvm issue is fixed - i'll wait until then to sru the fix.  (have written down to look at it again next w if nothing else)
[20:20] <qman__> HelloWorld321, yes, it's still working
[20:20] <HelloWorld321> This means that the box will accept ssh from anywhere?:   tcp6       0      0 :::22                   :::*                    LISTEN
[20:20] <qman__> HelloWorld321, most NAT routers won't route traffic back in destined for your external IP
[20:20] <qman__> you have to specifically configure it
[20:21] <qman__> so, you can't reliably test the setup from inside your own network
[20:21] <HelloWorld321> I have stopped forwarding port 22, see if you can hit it now.
[20:21] <qman__> nope, dropped
[20:21] <HelloWorld321> Nifty.  So I'm onto something here.
[20:21] <HelloWorld321> and the reason I couldn't do the same with ftp was because it was the hardest example, not the simplest
[20:21] <qman__> yes
[20:21] <qman__> FTP requires ports 20 and 21, in addition to a range of high ports
[20:21] <HelloWorld321> lemme try http now ...
[20:22] <qman__> and your FTP server must be configured with those high ports, and must also be configured to hand out your internet IP
[20:22] <qman__> you need a minimum of 3 open ports to handle a single connection
[20:23] <HelloWorld321> I would suppose that it's generally safe to leave port 22 (ssh) open, as long as I have a strong password policy in place?
[20:23] <qman__> it's actually best to disable password authentication
[20:23] <qman__> but if you have strong passwords it should be ok
[20:23] <qman__> it's also advisable to limit brute forcing through things like fail2ban or a rate limiting firewall
[20:23] <HelloWorld321> would you mind trying to hit me at http://98.148.120.187
[20:24] <qman__> squirrelmail
[20:24] <HelloWorld321> that's right.  Thanks!
[20:24] <HelloWorld321> This was driving me nuts!
[20:24] <imrook> sshguard is also an easy and effective solution to prevent hammering on 22.
[20:27] <HelloWorld321> For http, I would suppose I only need TCP open, not UDP?
[20:29] <HelloWorld321> Thanks qman__, imrook, RoyK.  I was totally stuck on that.
[20:30] <qman__> HelloWorld321, for all of the above, only TCP is needed
[20:32] <HelloWorld321> I'ma secure my ssh in all the ways you've said:  disable password authentication, fail2ban, and sshguard.
[20:41] <HelloWorld321> fail2ban was already installed and auto-configured.  I've poked abuot that documentation, and don't understand a word, from which I'll infer that the default configuration is reasonable?
[20:55] <HelloWorld321> I've installed sshguard 1.5-4 from the package, and the developer site says that post 1.5 there is zero configuration.  Is that correct?
[20:55] <imrook> If you're just protecting sshd, then yes
[20:55] <imrook> Aside from the bug I reported that hasn't been closed yet
[20:56] <imrook> Having the string 'ssh' in your hostname causes the regex to fail and sshguard will not properly detect failed login attempts
[20:56] <HelloWorld321> bummer.  k.  that won't be a problem for my hostname
[20:58] <sarnold> imrook: hah :)
[21:29] <HelloWorld321> I now beleive I have my port 22 open, sshguard & fail2ban installed, and password authentication turned off for ssh at 98.148.120.187.   Care to verify?
[21:30] <sarnold> HelloWorld321: Permission denied (publickey).
[21:30] <sarnold> no password prompt. woot.
[21:31] <HelloWorld321> That's good, right?  Yay, I did it.  Thanks.  That's pretty cool.
[21:31] <HelloWorld321> Now I can run around opening other ports
[21:31] <HelloWorld321> I tell ya: it was driving me NUTS!
[21:32] <HelloWorld321> I totally thought I had a bum router
[21:33] <sarnold> :)
[22:31] <dsmythies> Hello, I am not normally on IRC, and am actually somewhat IRC challenged, but there is an issue I was hoping to get help with.
[22:31] <dsmythies> .
[22:31] <dsmythies> The computer is an Ubuntu Server 12.04 LTS with no GUI. To install a virtual machine (a ubuntu 12.04 server again) I am following the Ubuntu Serverguide Virtualization chapter, sub-section 1 Libvirt.
[22:31] <dsmythies> The problem is that I can not figure how to complete a virtual machine installation, without either a GUI or a 2nd computer with a VNC viewer client.
[22:31] <dsmythies> The serverguide sub-chapter mentions both virt-manager and virt-viewer, but both require a GUI.
[22:31] <dsmythies> I finally figured out that I could use another computer with both a GUI and a VNC viewer client, if I used this command:
[22:31] <dsmythies> .
[22:31] <dsmythies> sudo virt-install -n virt32_01 -r 128 --disk path=/var/lib/libvirt/images/virt32_01.img,bus=virtio,size=12 -c ubuntu-12.04.2-server-i386.iso --accelerate --network network=default,model=virtio --connect=qemu:///system --graphics vnc,listen=0.0.0.0 --noautoconsole -v
[22:32] <dsmythies> .
[22:32] <sarnold> dsmythies: (please don't use . to try to add paragraphing to irc :)
[22:32] <dsmythies> The important part of the command being: "--graphics vnc,listen=0.0.0.0"
[22:32] <dsmythies> .
[22:32] <dsmythies> My question: Is there a (Libvirt) way on a non-GUI server without involving other computers?
[22:32] <dsmythies> .
[22:32] <dsmythies> References:
[22:32] <dsmythies> https://help.ubuntu.com/12.10/serverguide/libvirt.html
[22:32] <dsmythies> https://bugs.launchpad.net/serverguide/+bug/1129649
[22:33] <dsmythies> http://ubuntuforums.org/showthread.php?t=2116415
[22:33] <dsmythies> .
[22:33] <sarnold> dsmythies: have you tried leaving off the --graphics command line option?
[22:33] <sarnold> dsmythies: I use the 'uvt' wrapper to build, snapshot, and revert VMs, no VNC required: https://wiki.ubuntu.com/SecurityTeam/TestingEnvironment
[22:33] <sarnold> dsmythies: .. though it is Yet Another Tool to configure.
[22:34] <dsmythies> If I leave off the --graphics line, then I am unable to connec to anything.
[22:34] <dsmythies> I do not know of "uvt", but will look into it. Right now I am specifically trying to use virt-install...
[22:35] <dsmythies> In the end, I hope to edit the serverguide itself with better emphasis on a non-GUI server.
[22:35] <sarnold> dsmythies: uvt doesn't do anything that you couldn't otherwise do, but it does make it easy to ignore the virt-* details :D
[22:39] <dsmythies> Before the --graphics stuff, this is the command I was trying:
[22:39] <dsmythies> sudo virt-install -n virt32_01 -r 128 --disk path=/var/lib/libvirt/images/virt32_01.img,bus=virtio,size=12 -c ubuntu-12.04.2-server-i386.iso --accelerate --network network=default,model=virtio -v
[23:24] <luminous> hello! what is the ubuntu solution to easily encrypting/decrypting a directory
[23:24] <luminous> similar to truecrypt, but not tc
[23:25] <sarnold> luminous: ecryptfs if you just want directories; dm-crypt on an entire block device if you want everything...
[23:25] <luminous> the fuse encfs?
[23:26] <luminous> sarnold: ^^
[23:27] <tyhicks> luminous: ecryptfs and encfs are similar
[23:27] <tyhicks> luminous: you get to choose :)
[23:27] <luminous> but not the same
[23:27] <tyhicks> no, different implementation
[23:27] <luminous> interesting.. i will need to read more
[23:27] <tyhicks> ecryptfs is an in-kernel filesystem, encfs is fuse based
[23:28] <luminous> great!
[23:28]  * luminous does not like fuse
[23:28] <tyhicks> ecryptfs will get you a little better performance, encfs probably has more knobs and features (but I haven't looked at it in a while)
[23:29] <luminous> ll i need is to be able to do is copy/store a git repo and some files
[23:30] <luminous> to confirm, encryptfs requires one to decrypt, edit/update/read, then encrypt, w/ encryption/decryption initiated manually - correct?
[23:30] <tyhicks> luminous: no, it does it all transparently
[23:31] <sarnold> luminous: ecryptfs is intended to be transparent -- once mouted, the decryption and encryption happen for you
[23:31] <tyhicks> luminous: it is a stacked filesystem that goes on top of your existing local filesystem
[23:31] <luminous> or, said another way... if in use, it is readable to all / like a normal directory
[23:31] <luminous> it has to be unmounted to be 'protected'
[23:31] <patdk-lap> once unlocked it's usable by the whole system, yes
[23:31] <luminous> k, good to know, ty
[23:31] <tyhicks> luminous: yes... it is close enough to be considered a posix compliant filesystem
[23:33] <sarnold> luminous: if you're instead wanting git to store remote repositories encrypted, there's a tool for that specifically under development: https://github.com/blake2-ppc/git-remote-gcrypt
[23:33] <luminous> that's cool
[23:34] <luminous> i'll check it out, though i do want to feel reasonably confident in the setup
[23:34] <sarnold> no doubt ecryptfs has seen more development time and more peer review :)
[23:35] <luminous> yea
[23:38] <luminous> thanks for your input!
[23:38] <luminous> it is apprecited
[23:38] <sarnold> have fun :)
[23:39] <luminous> oh, and if interested in this stuff.. have a peek at crypton.io
[23:40] <sarnold> nice :)
[23:40] <luminous> yea :) still early, but very promising
[23:40] <luminous> and backed by spideroak.com