/srv/irclogs.ubuntu.com/2013/05/01/#ubuntu-server.txt

=== blackjack is now known as sumpit
=== sumpit is now known as woles
EitanHey gents, is there a way to change the outward facing IP address on my server?01:16
Eitani have bout 25 IP's configed and its using 1 as the outward and i need it to use another01:16
Eitanseems to be using the last one on my list, as apposed to the first one that it should be using01:17
RoyKEitan: rfc1918 addresses?01:18
RoyKnat?01:19
EitanSo i have eth0 - eth1701:19
Eitanand its using eth 17 as the external instead of eth0, i could just rename eth 0 to eth1801:19
RoyKwhat addresses?01:19
Eitannat01:19
Eitanvim /etc/udev/rules.d/70-persistent-net.rules perhaps?01:20
RoyKsame subnet?01:20
Eitanyes01:20
RoyKwhy so many NICs?01:20
Eitanits a dedicated server... thats how the host set it up01:21
qman__you shouldn't assign addresses in the same subnet to more than one physical adapter01:21
Eitani needed a lot of ip's01:21
RoyKEitan: you don't need a truckload of IP addresses01:21
Eitani agree,01:22
Eitanbut right now i cant get rid of all of them01:22
Eitani just need to change my outward facing ip01:22
qman__there is no such thing; you're misinterpreting something else01:22
Eitanso i can get through someones firewall, instead of asking them to change hte IP in their ACLs01:22
qman__I assume you mean the IP your system is sending new connections out from01:22
Eitanyes sir01:22
Eitanmy external iP01:22
Eitanwho people think i am01:23
qman__all of your IPs are external01:23
Eitanok,01:23
Eitanyou are right01:23
Eitanmispoke01:23
Eitanthe ip that my system is sending out connections from01:23
Eitanits currently using the last eth instead of the first01:23
qman__it's most likely using whichever one was most recently configured01:24
Eitanqman: you are correct01:24
Eitanit is using eth0:13 instead of eth0:101:24
Eitanit is using eth0:13 instead of eth0:001:24
qman__ok; those are virtual interfaces, not physical, and are different in both configuration and function01:25
Eitanok, that makes sense they are all running on eth001:25
Eitanand its using the last configured01:25
Eitanso im just going to change it here /etc/network/interfaces01:26
qman__do you have more than one default gateway specified?01:26
Eitanno01:26
Eitansame default gateway01:26
qman__what I mean is, is it specified more than once?01:26
Eitanyes sir01:26
qman__that's incorrect01:26
Eitanspecified for every IP01:26
qman__it should only be specified once01:27
qman__on the first interface01:27
Eitanpretty much everything is duplicated for every network int01:27
Eitanonly thing different is address itself01:27
qman__that's wrong; the additional addresses should only be specified as address and netmask01:27
Eitanok, ill make that change01:28
Eitanhow should i go about making this stop using my last configured int as outgoing?01:28
Eitanswitch them in the config?01:28
qman__no01:28
qman__this will probably fix that01:29
Eitanoh cool01:29
qman__if not, you'll have to change some advanced routing settings01:29
Eitangot it01:29
Eitanill give it a shot01:29
Eitanthanks for the info01:29
qman__after removing all those you will have to make that configuration apply, done easiest by rebooting01:29
qman__or you could probably manually delete all the extra gateways01:30
Eitanok, ill just run a quick reboot01:30
Eitancould also use ssh -b address to use a speciifc Ip01:32
Eitanwoops01:32
=== LargePrime is now known as Guest16628
roastedhello friends02:02
roastedI have a server with a spinning drive for the OS. I got to thinking about taking it an dputting it on an SSD. If I would do that, should I exclude swap from the SSD?02:03
hachreare you using swap a lot?02:18
roastedhachre: I don't believe so... truth be told I haven't checked in quite a while.02:34
hachrehow much ram do you have?02:34
roastedit's a home server... 4gb of ram.02:34
hachredoes it run anything?02:34
roastedquite a bit, but all for personal use02:34
hachreexcept samba02:34
roastedsubsonic, owncloud, apache, samba, motion video surveillance, mdadm raid02:34
hachrednot know that motion video thing02:35
hachreapart from that02:35
hachrethey arent huge ram hogs02:35
hachreanyway.. if you dont use it much i wouldnt care02:35
roastedmotion isn't a huge ram hog, but it taxes the cpu a little bit02:35
hachreif you really trash it you could put it on the disks to spare the ssd02:35
hachrei personally use linux as a desktop on my laptop with a ssd02:35
roastedsounds good02:35
hachrei dont have any problems02:35
hachrelaptop has been going for three years02:36
roastedI just wasn't sure how swap + SSD would work02:36
hachreswap on the ssd and i go way beyond the 4 gb sometimes02:36
roastedlike if that was a bad idea or anything02:36
hachrenah02:36
qman__I run swapless02:36
qman__more RAM would have been cheaper02:36
hachrejust for the wear and tear02:36
roasteddo you guys know of a way to suck up the contents of my entire server OS and drop iton an SSD?02:36
roasted500GB HDD right now... want to go to 64GB SSD...02:36
hachreI'd use rsync02:37
roastedrsync for the OS?02:37
qman__yep, rsync02:37
hachrefor everything02:37
roastedwow02:37
roastedI didn't think rsync would work02:37
qman__rsync the files, then install grub to the SSD02:37
hachrewell you gotta reinstall grub and you have to do the partitioning on the ssd and mkfs02:37
hachrethats it02:37
hachrerest is rsync02:37
qman__specifically02:37
roastedI had the drive prepped already02:37
roastedjust hooked it up to a sata connector on my laptop and GParted it02:38
roastedI just haven't swapped it out yet02:38
roastedrenovating the basement, so... been pre-occupied02:38
qman__rsync -avh --exclude=/dev --exclude=/proc --exclude=/sys --exclude=/mnt/ssd / /mnt/ssd02:38
hachreyup02:38
hachre:)02:38
roastedqman__: the server will be offline when I rsync. Would the excludes be needed then?02:38
qman__assuming you mount the ssd to /mnt/ssd02:38
qman__nope02:39
roastedI can just do rsync -avh /media/hdd /media/ssd ??02:39
qman__just mount both disks and rsync one to the other02:39
qman__yes02:39
roastedwell dang02:39
roastedthat's freakin nice02:39
hachre:)02:39
roastedtaking that down in my notes quick...02:40
roastedk, done deal02:42
roastedthanks again fellas02:42
hachrenp02:42
FaladosIs there a way to secure Tomcat using AppArmor on 12.04?02:49
Faladosor more generally, applications that run on the JVM02:49
qman__yes, just like any other02:52
qman__you need to configure a profile that allows it the access needed02:52
Faladosbut 'it' is the java binary. which could be used to run other JVM apps - which should have different profiles.02:53
Faladosyet they all look like the same binary02:53
FaladosI saw something about ChangeHat, but i cant find much.02:53
Faladosit was in the SuSE docs02:54
qman__looks like there used to be an apparmor_tomcat but it's been left to rot02:55
Faladosyeah, i saw that :(02:55
Faladosit would seem like i'd have to install a JVM per app and secure them that way, or combine the profiles into one (which kindof defeats the purpose)02:58
qman__yeah, I don't really see a way around that; you could make linked copies of the JVM by different names02:58
qman__still messy though02:58
FaladosAppArmor doesn't follow links to the underlying binary? I guess that would be another way it could work.02:59
qman__given the nature of tomcat and applications that run on it, there probably aren't many people that have this specific need02:59
FaladosI don't have the specific need just yet - its more of an academic excercise.02:59
Faladosbut i can see it being useful in general03:00
qman__what people probably do in the real world is spin up a VM per tomcat application03:00
qman__offers greater separation and security between them03:00
Faladosprobably for the best then.03:00
Faladosbut I can see if tomcat were to host more than one application, it would make sense to isolate at the servlet level too (like tomcat_apparmor provided)03:02
FaladosI wonder if it was abandoned due to lack of interest, contributions, or both.03:03
Faladossince nothing has replaced it03:03
qman__that's likely03:03
qman__there are other considerations when running applications that need to be separate, which are more easily achieved by separating servers03:04
Faladosyeah.  In a prod environment i'd be more inclined to have a single webapp per tomcat install03:04
qman__plus the way things are headed these days is toward preconfigured instances that you fire up on the fly with your application preloaded03:04
qman__"I need six more foos and three bars", click it in your openstack03:05
Faladosthx for the help qman__03:07
LargePrimewhat are the downsides of root not being the owner of a file in www-data03:20
Faladosi think it may be because chgrp can be used to give it away. and if root owns it, then only root can chgrp03:24
Faladosmay be other reasons, could also just be convention03:25
LargePrimeFalados: but what is the harm in it being given away04:12
FaladosLargePrime: it depends on what it was changed to and who has access to that new group.  It's unexpected behavoir, and should be avoided.04:30
FaladosLargePrime: but there may be other things that are not coming to mind. Its probably not a large attack vector - but its simple enough to enforce this convention anyway.04:31
LargePrimedo you have time to discuss more?04:31
LargePrimeFalados:04:32
LargePrimei have several sites i host.  like mydomain.com and yourdomain.com and thierdomain.org04:33
LargePrimeI want you to have rights to yourdomain.com them to have rights to thierdomain, and my web guy to have access to all of them04:34
LargePrimewww-data need to have access to server the files, and some of the files cannot be made public04:34
Faladosdepends on your particular constriants, but the owner/user permissions are not very granular like that.04:35
LargePrimemy plan is to create a group for each domain and add web authors to each group as needed04:35
LargePrimeand set the group as owner04:35
Faladosthere is an ACL implementation i think, but that might be overkill.  I'd probably end up giving the web-guy sudo permissions04:35
LargePrimesudo is going to be a pita over FTP?04:36
Faladosoh, these files are managed via ftp?04:36
LargePrimeyes04:36
LargePrimedid i miss something obvious?04:37
patdk-lapother than ftp should never be used :)04:37
LargePrimesftp then04:37
Faladosyou can get more granularity with ACLs: https://help.ubuntu.com/community/FilePermissionsACLs04:38
Faladosbut thats usually not what I see.04:38
FaladosYMMV04:38
LargePrimeok so what is wrong with setting a group as the owner and adding peopel to that group04:39
Faladosor you can do what Hiroku does, and use git w/ hooks.04:39
Faladosthat way no one owns the deployment files04:39
LargePrimewhat is git with hooks?04:39
LargePrimealso, note the total noob04:40
patdk-lapya, I have a website that just does git pulls every minute04:40
Faladosgit is source control management04:40
LargePrimei know04:40
Faladoslike mecurial, or bazaar04:40
Faladosand a post-receive hook is just a bash script that you can create that will deploy the files04:41
LargePrimeI think that is gonna be kinda tuff for my web guys04:42
Faladosactually, not just bash, could by py, perl, ruby04:42
FaladosWell, if dont want to change your workflow, then maybe you'll have to set up ACLs.04:42
Faladosthey did that at my University for web hosting with FTP.04:42
LargePrimebecause granting ownership to a group is an issue?04:42
Faladosyeah, it is not granular enough. You can't give multiple groups access to the same files04:43
LargePrimei cant make one group owner and another the group?04:43
LargePrimedoes a user have to be owner?04:44
Faladosthe http server needs to have read (and in some cases write) access to the files and folders it needs. It can get this only though those 3 ways:04:45
Faladosuser , group, other04:45
Faladosother is too broad04:45
Faladosgives every accoutn access - so thats a cop-out04:46
LargePrimeits user04:46
Faladosif its user is web-guy, then they have one set of permissions, and if group is www-data then www-data has another set of permissions, but you cant introduce a third into this without ACLs.04:46
LargePrimeand user cant be a group?04:48
Faladoscorrect04:48
Faladosa user is always a user.04:48
LargePrimebah04:48
Faladoswith ACLS you can give permissions to arbitrary users and groups04:48
LargePrimebut i have to take down teh server to implement acls04:49
Faladosyeah, you have to re-mount04:49
Faladosyou can get by with playing with users and groups, but you'll find that its really too course and you'll end up giving too much permissions to people04:51
Faladosthe only solution that doesnt need a remount would be a change in deployment process.04:51
Faladosusing FTP as a staging area, and a script run as www-data to deploy from staging04:52
Faladoscould be a simple as rsync or as sophisticated as triggering a job in a CI server like jenkins04:52
LargePrimehow can www-data deploy files it might not have read or write access too?04:54
Faladoswell, you could also run the script as root too04:54
Faladosno one should be running that script besides cron anyway04:54
Faladosbut your refresh-rate won't be immediate with cront. it will take about a minute04:55
LargePrimethere must be tonnes of websites that have virtual hosts.  How do tehy handel these things04:55
Faladosprobably using jails/chroot04:56
LargePrimeand make webguy the owner?04:56
Faladosand the web-guy has total access to the server either via SSH, or cpanel, or something04:56
Faladosalthough I havn't set up a shared hosting server, so i dont have a specific implementation I can reference.04:57
Faladosperhaps solutions like CPanel hide all of these details for you.04:58
Faladoss/for/from04:58
Faladosthere are probably open-source cpanel-like applications that can help in this regard.  Just a quick google search brings up a wikipedia page on it:05:09
Faladosen.wikipedia.org/wiki/Comparison_of_web_hosting_control_panels05:09
Faladosim out. hope this helps some05:11
jdstrandFalados: while there probably won't be anyone there right now, you might bring up apparmor and tomcat in #apparmor on OFTC05:37
jdstrandyou can get a definitive answer on how it (used to) work, where it is now, etc05:38
billy_ran_awayAnyone up and active?06:41
azKennettI'm new to Ubuntu Server but I'm trying to setup a dhcp server. Can anyone point me to a tut/guide. Or take the time to help me out. Thanks.06:42
billy_ran_awayazKennett: http://askubuntu.com/questions/140126/how-do-i-configure-a-dhcp-server06:43
azKennettThanks billy_ran_away06:43
azKennettbilly_ran_away, I followed the guide and I get error, "stop: Unknown instance: start: Job failed to start" any ideas?06:51
billy_ran_awayazKennett: Yea check /var/log/syslog and look for "dhcpd: Open a socket for LPF: Permission denied"06:52
billy_ran_awayazKennett: If you have that then refer to this bug: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/110768606:53
uvirtbotLaunchpad bug 1107686 in isc-dhcp "dhcpd: Open a socket for LPF: Permission denied" [Undecided,Fix released]06:53
azKennettbilly_ran_away,I'll look06:53
azKennettbilly_ran_away: Didn't see it.06:57
ak5hi, I get an error when doing `sudo apt-get update` it stalls at "Reading package lists... 99%" then prints out "Reading package lists... Error!"07:16
ak5I am using amazon ec207:17
SpamapSak5: "Error!" usually has a message with it.07:35
ak5SpamapS: this time it doesn't. I have the same error as this guy http://askubuntu.com/questions/259114/reading-package-lists-in-update-apt-get-ubuntu-12-04-vps07:35
SpamapSak5: weird07:36
ak5SpamapS: indeed07:36
ak5SpamapS: any ideas?07:38
SpamapSak5: none I'm afraid. :-/07:42
ak5SpamapS: I am going to change mirrors07:48
ak5ls07:53
jamespagexnox, great - I thought that was the case; I revised that patch to be backwards compat as well - its for 2.4.3 which I'm currently working on the merge for08:07
sies34has anyone tested ZFS with Ubuntu Server 13.04?08:18
AfroMarkHi all. I'm setting up ubuntu server for the first time and have a few general questions. Anyone around to help?08:24
sies34I have no experience setting up a server with ubuntu, only with debian08:28
AfroMarkI'm hoping to use the server as a LAMP server, a printer server for home, and its main use will be as a minecraft server. What sort of security precautions should I take?08:28
AfroMarkHi sies34. These are only general questions though, so perhaps you'd be able to help anyway.08:29
sies34at what level?08:29
sies34go ahead08:30
AfroMarkFirst question is above. What do you mean "at what level"? I know network/server security is an expansive subject, but I'm just looking for a simple "best practice" to ensure my home network isn't compromised.08:31
sies34best first line of defense is a firewall08:34
AfroMarkSo for example, a firewall is a given.08:34
AfroMarkHaha. Great minds...08:34
sies34do you have a router?08:34
blkperlAfroMark: or you can use iptables08:35
AfroMarkYes - the server will have a wired connection to a wireless modem/router will serves the house08:35
blkperlfirst thing you should do is disable root login via password, use ssh keys or disable it all together08:35
sies34you can choose between iptablet (on your linux server) or your built-in firewall of the router08:39
AfroMarkI read something about disabling root password login. Does that only account for remote access? I don't want it to be a pain every time i try to "sudo" something08:40
sies34usually to configure the firewall of the router better/easier08:40
sies34yes08:41
sies34afer you login with ssh you can 'su'08:41
sies34it also helps if you forward port 22 to another port in your router08:44
sies34for instance 4589308:44
blkperlAfroMark: sudo is different, and yes in the ssh config for remote access08:44
rbasakI feel that changing ssh port is cargo culting nowadays: http://bsdly.blogspot.co.uk/2013/02/theres-no-protection-in-high-ports.html08:45
sies34there are many port scans on port 2208:45
rbasakI lock down ssh users with AllowUsers in /etc/ssh/sshd_config. Then you don't have to worry about accidentally having a weak password on some other account.08:46
AfroMarkOn the whole, how accurate is the information here? http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/08:46
rbasakThen make sure you either have very strong passwords on the AllowUsers accounts, or disable password auth in sshd_config and use keys only.08:47
rbasakI'd make sure that the minecraft daemon is running as its own special user, and constrain it with AppArmor.08:47
sies34indeed better to use a ssh-key08:50
rbasakLAMP servers are particularly vulnerable. I'd put that in a separate VM, or at least very carefully constrain it with AppArmor.08:50
AfroMarkThanks all for the advice08:52
AfroMarkObviously there are quite a few things i need to look into!08:52
AfroMarkOne last question - I have a NAS attached to my router. Would I be able to run an ftp server allowing access to the network storage? Or is that opening up even more security concerns?08:54
nfrmatkI wouldn't double dip like that if I had other options. Minecraft server/print server/FTP server is a lot to keep in mind when starting out.08:57
sies34use NFS08:57
rbasakSet up two VMs. One for services to the outside world, and one for services to your LAN.08:57
sies34when you nas supported NFS08:58
nfrmatkrbasak is thinking in the right direction. Separate out your tasks.09:00
sies34or use smbmount on your server09:01
AfroMarkWill 2 VMs be a drain on resources? It may be that I'm trying to accomplish too much too soon.09:08
AfroMarkThe computer I'm planning to use is fairly old. 2.4Ghz CPU and 2gig RAM.09:09
AfroMarkI apologise in advance if I'm being a massive newbie.09:10
nfrmatkDon't even worry about it.09:10
nfrmatkI wish I'd known there was an ubuntu-server channel when I started.09:11
nfrmatk2 VMs will probably be a bit much for that build...09:11
nfrmatkYou can just test and develop on that machine if you hold off forwarding any ports on your router til you have your ideal configuration.09:13
AfroMarkI'd better be off now. Thanks to everyone for the advice! It's given me plenty to think about.09:24
AfroMarkIt's likely I'll be back soon though!09:25
ak5hi guys, I have an ubuntu instance that gets an error at `sudo apt-get update` - anyone else have this? It outputs: Reading package lists... Error! And nothing else09:54
lotiaIs there a recommended way for conditionally setting envionment variable. To elaborate, files ending in .sh on /etc/profile.d are sourced by all users. What if I want to source some env vars in an init script.10:42
lotiaI don't want to set those vars directly, because several scripts may use them.10:43
jamespagelotia, /etc/default/<NAME>10:47
Davieyjamespage, rbasak, any other english folk - happy may day.  Will you be doing a may pole dance later?11:03
DavieyI already have bells on my shoes, all set.11:03
jamespageDaviey, already have me bells on11:03
jamespagejust about to go get my big stick11:03
Davieyheh.11:05
lotiajamespage: thank you11:11
zulworkers of the world unite!11:11
=== stan_ is now known as Guest98943
Guest98943how often /var/tmp is cleared in Ubuntu?12:13
=== Guest98943 is now known as stan_0001
stan_0001Is /vat/tmp cleared automatically in Ubuntu?12:14
jacobwstan_0001: /tmp is a ramdisk, it exists in ram only. It's not that it's cleared on shutdown, it's that it doesn't survive shutdowns at all.12:17
stan_0001jacobw, i see thanks.12:18
jacobwstan_0001: /var/tmp isn't a ramdisk, it's just a directory in the filesystem on the disks, it's just like any other directory12:18
jacobwstan_0001: Consider symlinking to /tmp or mounting /var/tmp as a ramdisk12:21
=== Jikan is now known as Jikai
=== Jikai is now known as Jikan
slestakim seeing a strange screen artifact using byobo + tmux that doesnt occur when using straight screen.13:31
slestaki dont use tmux outside of byobu,13:31
slestaknot sure if this would be a good channel to discuss this since byobu is an ubuntu creation13:31
slestaksometimes when i resume a disconnected session, I have a {window|pane|whoknows} off to teh side that seems to be filled with period characters.  I dont think i can switch to it, and I cannto make it occur on demand, but it does occure pretty frequwently.13:33
slestakIt might be related to resuming a session with a terminal with a different windo size thatn the one detached13:33
slestakanyone seen that on their installs?  I am using the current putty to connect to ubuntu 12.04.213:34
slestaki'll get a screenshot next time13:35
slestakkirkland: ping, have you seen this happen?13:36
kirklandslestak: hi13:36
slestakgood mornig man.13:36
slestakthsi is not a big issue, just somethign im tryng to figure out.  if you think it is def a tmux thing i'll go talk to them13:37
kirklandslestak: it's just like you say -- when you see the "periods", you're connecting from a terminal larger than some other terminal that's also connected13:37
kirklandslestak: it is a feature/function of tmux13:37
kirklandslestak: you can force disconnect the other client13:37
kirklandslestak: let me find the command/key for that13:38
slestakim trying to see where the feature part of that comes in.  for instance, doesnt gnu screen handle that a little more gracefully?13:38
slestaki can look at the docs, thanks for the pointer13:38
kirklandslestak: I prefer tmux's handling of it, actually13:39
slestakcool, i'll check it out.13:40
kirklandslestak: but that's probably just preference13:40
kirklandslestak: okay, you can do this...13:40
slestakjust wasnt understanding the implemetation13:40
kirklandslestak: if your escape key is ctrl-a, then try pressing ctrl-a-D13:40
kirklandslestak: note that's a capital D13:40
kirklandslestak: that will show you a list of attached clients13:40
kirklandslestak: and the geometry of their screens13:40
kirklandslestak: pick the one you want to kill (probably the smallest geometry)13:40
kirklandslestak: and you'll detach that client's connection13:41
kirklandslestak: I think there's a byobu feature request to add a hotkey to "detach all clients not myself"13:42
slestakcool13:42
slestakthanks for byobu13:42
kirklandslestak: you bet!  thanks for using it!13:42
billy_ran_awayCan anyone explain why my pvscan isn't showing the correct volumes and it says something about "Incorrect metadata area header checksum" http://pastie.org/774671013:51
=== wedgwood_away is now known as wedgwood
=== bladernr` is now known as bladernr
pmatulisbilly_ran_away: prolly b/c lvmscan is looking at non-LVM partitions14:33
billy_ran_awaypmatulis: Yea I was hoping that was it, but it's not.14:33
billy_ran_awaypmatulis: I'm closer to solving I think, thanks for the suggestion though.14:34
pmatulisbilly_ran_away: ok, report back when you find out more14:34
billy_ran_awaypmatulis: Okay thanks14:35
=== Jikan is now known as Jikai
=== dosaboy_ is now known as dosaboy
=== Jikai is now known as Jikan
=== Ursinha is now known as Ursinha-afk
=== Ursinha-afk is now known as Ursinha
RoyKanyone here that can explain where and how md arrays are assembled? seems lucid assembles nested arrays fine, but precise and later does not. it assembles the base arrays, but not the ones on top (as in raid-5+0 etc). See bug 1171945 for details.15:50
uvirtbotLaunchpad bug 1171945 in mdadm "Nested RAID levels aren't started after reboot" [Undecided,Confirmed] https://launchpad.net/bugs/117194515:50
parallel21Anyone know how I can manage user's home directories across a series of machines?16:09
Coreyparallel21: Salt, ldap, puppet, chef, cfengine, spine, rsync, and NFS mounting, just to name a few.16:27
genii-aroundMy votes with rsync.16:31
CoreyOh god that's horrible.16:33
Coreygenii-around: I use git / vcsh.16:33
genii-aroundI've heard of using git for this sort of thing but never tried it myself.16:34
parallel21I'm not so concerned about dotfiles, but stuff like text files and managing user profiles and passwords across machines. I'd like to be able to add an ssh user across a set of a machines16:43
Coreyparallel21: Yes, welcome to the world of either LDAP, or configuration management. Your pick.16:45
Coreyparallel21: And really, ssh keys make more sense in this decade.16:46
Coreyparallel21: How many servers are we talking?16:46
parallel21Corey: Under 10… I'd really like to use something like puppet. But I'd like something I could deploy more quickly, as I know little about puppet. LDAP would be OpenLDAP? Ssh-keys wouldn't just fix it would it? They'd need a home folder and the like?16:49
Coreyparallel21: saltstack.org is probably your best bet.16:49
parallel21Corey: This looks awesome16:51
Coreyparallel21: Thank you. #salt is also a good resource here.16:52
resnoparallel21: look at ansible17:04
resno#ansible also17:04
resnoits all ssh based command, but can build up if needed17:05
GeminiDominoI'm trying to set up postfix with SMTP AUTH on 12.04 but the guide on help.ubuntu.com seems to be out of date with regard to dovecot configuration. Does anyone know of another resource?17:05
parallel21GeminiDomino: I've been doing the same17:11
GeminiDominoAny luck?17:11
parallel21GeminiDomino: Where are you having a problem?17:11
parallel21Going in works… smtp auth out does not17:12
GeminiDominoI'm not getting the "250-AUTH xxx" lines in the ehlo response17:12
parallel21Hrmmm..17:12
GeminiDominoYep. Just did it from scratch again... I get the STARTTLS announce, but no auth...17:21
GeminiDominoI never thought I'd miss Sendmail. <_<17:37
RoyKpostfix?17:38
GeminiDominoThat's what's making me miss sendmail. :)17:39
parallel21Yeah, I was thinking about sendmail as well. What's the diff?17:40
* RoyK mumbles something about PEBKAC17:41
parallel21pbkac?17:41
GeminiDominoparallel21: Sendmails configuration files make perl look readable. :)17:43
psivaahallyn: hello :)17:52
psivaa'sudo kvm -hda test.img -monitor stdio' returns 'Could not initialize SDL(No available video device) - exiting' on our precise servers17:53
hallynpsivaa: what happens when yo type 'xterm' ?17:54
hallynpsivaa: shorter answer: add '-vnc :1'17:54
psivaahallyn: ok thanks, adding '-vnc:1' makes it work, xterm is not installed though18:02
=== Ursinha-afk is now known as Ursinha
=== gary_poster is now known as gary_poster|away
=== gary_poster|away is now known as gary_poster
=== gary_poster is now known as gary_poster|away
=== gary_poster|away is now known as gary_poster
=== Ursinha is now known as Ursinha-afk
=== Ursinha-afk is now known as Ursinha
=== smb` is now known as smb
bananapieCan I unbond two network interfaces that were bounded at boot using network/interfaces without risking the stability of the production server or the second bonded interface without rebooting the server?20:56
bananapieI tried ifenslave -d bond1 eth2 eth321:03
bananapieok it worked, it just took a few seconds21:06
bananapiethere was probably a machine whose arp tables didn't update or something21:06
bananapiethanks21:06
=== mikal__ is now known as mikal
AisonI upgraded my testserver to raring, now it no longer boots. In recovery mode I can see some output from the kernel, but after21:55
Aisonrunning scripts/init-bottom21:56
Aisonit hangs21:56
Aisonin ubuntu I heard that I should use nomodeset as kernel options21:56
Aisonbut that don't help21:56
Aisonany hints? with grml I can boot into the system and changeroot21:58
MarlincWhat packages do you need to install on a MAAS node?21:58
MarlincIn order to connect it to the MAAS server21:58
markthomasAison: can you boot it in rescue mode and mount the root filesystem?22:28
Aisonmarkthomas, no, the system hangs directly after printing the message22:30
AisonBegin: Running /scripts/init-bottom ... done.22:30
Aisonthen I can't do anything22:30
markthomasAison: That's from a cold boot?  Hmmm22:31
Aisonyes22:31
markthomasAison: how about a rescue CD?  We want to try to take a look at syslog.22:32
AisonI think I have to create a rescue CD first :)22:33
sarnoldAison: maybe try init=/bin/sh  before burning a CD? :)22:34
Aisonuhm, where should I try that? :P  (maybe stupid question)22:35
thesheff17does anyone have any experience with the JMX and tomcat... I keep getting Debugger failed to attach: handshake failed - received >< - expected >JDWP-Handshake<22:35
Aisongrub?22:35
cydizenAison:  I might have missed an earlier post but have you tried to boot in Single User mode? (also from grub)22:35
Aisoncydizen, no22:35
sarnoldAison: yes, from grub, you can add that init=/bin/sh to the kernel command line22:36
Aisonthere I can also add single for single user mode?22:37
cydizenAison:   yes you can22:37
sarnoldsingle is more polite :)22:37
cydizenI would only recommend trying one of our methods at a time though.  Process of elimination22:37
=== bigjools_ is now known as bigjools
markthomasAgreed.  Booting from a rescue CD while trying single-user and init=/bin/sh...overkill, perhaps.22:39
markthomas;)22:39
cydizenthesheff17:  when you do a ps -ef  and look at your java line, does it explicitly state JMX and port number?22:39
Aisoncydizen, well, single was already the (because of recovery mode)22:40
Aisonso that is tested22:40
Aisonalso nomodeset22:40
thesheff17cydizen, it does22:40
Aisonwith init=/bin/sh I get a kernel panic :)22:41
cydizenAison: What  version did you upgrade from?22:41
Aison12.something22:42
Aisonquantal?22:42
AisonI also tested it on a second machine with a brand new quantal 12.10 installation22:43
Aisonsame problem there22:44
Aisonon the other hand, it worked on my notebook22:44
Aisonbut there it was xubuntu22:44
markthomasAison: If you can't get grub to boot into single-user mode in any variant, it's time to grab optical media.22:45
cydizenI agree with markthomas on that22:45
Aisonmarkthomas, what should I do? download ubuntu server and then there is a rescue mode?22:45
cydizenthesheff17,  in my experience you might have something conflicting on the specified port.  Can you change it and try again?22:47
cydizenelse that port is being block by a segment of your network22:48
thesheff17its weird I tried port 8001 instead of 8000...same problem...I can telnet to the port fine...I even tried tunneling through ssh and it throws the same error22:49
markthomasAison: Try grabbing the desktop version.  The live CD that it launches will give you a comfy working environment to mount the server filesystem.  Assuming you don't have any obscure controller drivers compiled into your kernel...22:49
markthomasthesheff17: you can't even tunnel and connect to localhost?22:51
thesheff17markthomas, let me try22:52
thesheff17markthomas, it connected then through a giant stack trace22:57
thesheff17I wonder if it is because I'm using the openjdk vs  the sun jdk22:58
markthomasthesheff17: I don't know.  I'm not a Java dev.  However, if the app can receive connections from localhost but not externally, then that does sound like a network issue.  Just to confirm: you tried turning off ufw and flushing the iptables rules?23:01
cydizenlet's check a couple of things23:02
cydizenin your running process, -Dcom.sun.management.jmxremote.port=?????23:02
cydizenwhat port is specified there23:02
thesheff17markthomas, yea I can even telnet from my local machine to it....and it throws that handshake error...JMX just doesn't like me.23:07
markthomasthesheff17: we're rapidly reaching the limits of my Java expertise, if we're not already there.  cydizen?23:08
sarnoldmarkthomas: btw, it is possible for an application to bind a port to the localhost ip address and thus only accept connections from localhost23:09
thesheff17oh sorry cydizen I didn't see that message23:09
thesheff17I have port 800023:09
sarnoldmarkthomas: no firewall necessary23:09
thesheff17JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,server=y,address=8000,suspend=n"23:09
thesheff17could my app make the JMX stack trace like that...maybe I should try to remove my app and try to connect again23:10
markthomassarnold: does that JAVA_OPTS look right to you?23:11
thesheff17its the stock from /etc/default/tomcat723:11
sarnoldmarkthomas: sorry, that's also beyond my java :( hehe, I just know POSIX API...23:11
markthomasaddress=8000?  Is that right?23:14
thesheff17well that it what was in the /etc/default/tomcat7 file...it stack traced even without my app loaded23:14
markthomasthesheff17: guessing wildly, it sounds like you've got java runtime issues.23:15
thesheff17yea its weird...I'm going to try and start up a new lxc container and do some testing...thx all for the help23:15
cydizenthesheff17, im sorry I was disconnected.  Did you verify you are connecting to that port?23:18
cydizen(whatever is listed)23:18
cydizenIf so the next thing we want to verify is: -Dcom.sun.management.jmxremote.authenticate=false23:19
cydizen(unless you set up auth specifically )23:19
thesheff17so the port is set to 8000...I'm forwarding X to my local machine and running jconsole23:19
thesheff17and then I got a giant stack trace23:19
thesheff17I'm loading up an lxc-container and verifying I didn't break something with the installation of tomcat23:20
cydizenin the stack trace are you getting an X11 error?23:21
thesheff17no it looks like a java.util error23:21
cydizenboy, you have a good one brewing today dont you? :)23:22
sarnoldoh you get a stackdump? can you pastebin it?23:22
thesheff17yea this is def one of those crazy days :)23:22
thesheff17yea one sec for the pastebin23:24
thesheff17I'm trying it in this new container23:24
thesheff17and see if it fails23:24
=== Gasseus is now known as Rallias
thesheff17wow it happened with the stock tomcat and openjdk6 http://paste.ubuntu.com/5624364/23:26
sarnolddarn, nothing obvious to me. that 99% used makes me wonder but I haven't got a clue how to read it23:29
thesheff17yea I installed openjdk-6-jdk tomcat7 and uncommented JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,serve23:33
thesheff17r=y,suspend=n" and it blows up23:33
cydizenwhat port is tomcat listening on? (server.xml)23:34
thesheff17it defaults to 808023:35
cydizenjust curious thesheff17,  since you have access to the server, does catalina.out contain the information you are looking for to begin with?23:46
thesheff17cydizen, well we are doing some load testing and third party company is coming in and wanted JMX access and I thought I could get this working....I'm just a sys admin23:47
cydizenother than that, the only other thing I can see is setting tomcat to run with debugging via options in catalina.sh23:47
cydizenexport JPDA_ADDRESS=800023:48
cydizenexport JPDA_TRANSPORT=dt_socket23:48
cydizenbin/catalina.sh jpda start23:48
Aisonmarkthomas, how can I use now the disk to read the logs?23:48
Aisonor the rescue the system23:48
markthomasAison:  Have you booted to the live CD?23:49
Aisonyes23:51
AisonI can also mount the harddisk23:51
Aisonchroot23:51
Aisonetc...23:51
Aisonbut no I idea what is broken23:51
Aisonso no idea where to start23:51
markthomasAison: okay.  So, now cd into /mnt/var/log/ or whatever mount point you're using, and let's have a look at the syslog log file.23:52
Aisonwell, syslog is not touched since the upgrade to raring23:53
=== markthomas_ is now known as markthomas
markthomasOkay.  Look for anything that has been.23:54
Aisonso when I boot the kernel now, the drive is not mounted and no logs a written23:54
sarnoldAison: you're not that interested in new logs, just old logs23:54
markthomasOkay.  Give me one sec.23:55
sarnoldmarkthomas: heh, how'd you upset services so badly?23:55
markthomasSorry?23:55
sarnoldmarkthomas: disconnected by services and so forth23:55
markthomasHad to reboot.  On my tablet until it comes back up.23:56
markthomasStupid nickserv.23:56
sarnoldaha :)23:56
skraitohellow23:57
skraitoanyone here23:57
skraitois ubuntu server free23:57
skraito0x71 would like to code ubuntu server hardening script23:58
skraitowill the apt-get upgrade will be free ?23:58
sarnoldskraito: yes, completely free.23:58
skraitoah ic so apt-get upgrade will work without license right ?23:58
skraitoi am trying to play with it now23:59
sarnoldskraito: well, everything is -licensed-, but with an opensource license that gives you rights and responsibilities. The different components can have different licenses...23:59
skraito http://0x71.org/2013/05/01/0x71-0day-bash-keylogger-release/23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!