=== blackjack is now known as sumpit | ||
=== sumpit is now known as woles | ||
Eitan | Hey gents, is there a way to change the outward facing IP address on my server? | 01:16 |
---|---|---|
Eitan | i have bout 25 IP's configed and its using 1 as the outward and i need it to use another | 01:16 |
Eitan | seems to be using the last one on my list, as apposed to the first one that it should be using | 01:17 |
RoyK | Eitan: rfc1918 addresses? | 01:18 |
RoyK | nat? | 01:19 |
Eitan | So i have eth0 - eth17 | 01:19 |
Eitan | and its using eth 17 as the external instead of eth0, i could just rename eth 0 to eth18 | 01:19 |
RoyK | what addresses? | 01:19 |
Eitan | nat | 01:19 |
Eitan | vim /etc/udev/rules.d/70-persistent-net.rules perhaps? | 01:20 |
RoyK | same subnet? | 01:20 |
Eitan | yes | 01:20 |
RoyK | why so many NICs? | 01:20 |
Eitan | its a dedicated server... thats how the host set it up | 01:21 |
qman__ | you shouldn't assign addresses in the same subnet to more than one physical adapter | 01:21 |
Eitan | i needed a lot of ip's | 01:21 |
RoyK | Eitan: you don't need a truckload of IP addresses | 01:21 |
Eitan | i agree, | 01:22 |
Eitan | but right now i cant get rid of all of them | 01:22 |
Eitan | i just need to change my outward facing ip | 01:22 |
qman__ | there is no such thing; you're misinterpreting something else | 01:22 |
Eitan | so i can get through someones firewall, instead of asking them to change hte IP in their ACLs | 01:22 |
qman__ | I assume you mean the IP your system is sending new connections out from | 01:22 |
Eitan | yes sir | 01:22 |
Eitan | my external iP | 01:22 |
Eitan | who people think i am | 01:23 |
qman__ | all of your IPs are external | 01:23 |
Eitan | ok, | 01:23 |
Eitan | you are right | 01:23 |
Eitan | mispoke | 01:23 |
Eitan | the ip that my system is sending out connections from | 01:23 |
Eitan | its currently using the last eth instead of the first | 01:23 |
qman__ | it's most likely using whichever one was most recently configured | 01:24 |
Eitan | qman: you are correct | 01:24 |
Eitan | it is using eth0:13 instead of eth0:1 | 01:24 |
Eitan | it is using eth0:13 instead of eth0:0 | 01:24 |
qman__ | ok; those are virtual interfaces, not physical, and are different in both configuration and function | 01:25 |
Eitan | ok, that makes sense they are all running on eth0 | 01:25 |
Eitan | and its using the last configured | 01:25 |
Eitan | so im just going to change it here /etc/network/interfaces | 01:26 |
qman__ | do you have more than one default gateway specified? | 01:26 |
Eitan | no | 01:26 |
Eitan | same default gateway | 01:26 |
qman__ | what I mean is, is it specified more than once? | 01:26 |
Eitan | yes sir | 01:26 |
qman__ | that's incorrect | 01:26 |
Eitan | specified for every IP | 01:26 |
qman__ | it should only be specified once | 01:27 |
qman__ | on the first interface | 01:27 |
Eitan | pretty much everything is duplicated for every network int | 01:27 |
Eitan | only thing different is address itself | 01:27 |
qman__ | that's wrong; the additional addresses should only be specified as address and netmask | 01:27 |
Eitan | ok, ill make that change | 01:28 |
Eitan | how should i go about making this stop using my last configured int as outgoing? | 01:28 |
Eitan | switch them in the config? | 01:28 |
qman__ | no | 01:28 |
qman__ | this will probably fix that | 01:29 |
Eitan | oh cool | 01:29 |
qman__ | if not, you'll have to change some advanced routing settings | 01:29 |
Eitan | got it | 01:29 |
Eitan | ill give it a shot | 01:29 |
Eitan | thanks for the info | 01:29 |
qman__ | after removing all those you will have to make that configuration apply, done easiest by rebooting | 01:29 |
qman__ | or you could probably manually delete all the extra gateways | 01:30 |
Eitan | ok, ill just run a quick reboot | 01:30 |
Eitan | could also use ssh -b address to use a speciifc Ip | 01:32 |
Eitan | woops | 01:32 |
=== LargePrime is now known as Guest16628 | ||
roasted | hello friends | 02:02 |
roasted | I have a server with a spinning drive for the OS. I got to thinking about taking it an dputting it on an SSD. If I would do that, should I exclude swap from the SSD? | 02:03 |
hachre | are you using swap a lot? | 02:18 |
roasted | hachre: I don't believe so... truth be told I haven't checked in quite a while. | 02:34 |
hachre | how much ram do you have? | 02:34 |
roasted | it's a home server... 4gb of ram. | 02:34 |
hachre | does it run anything? | 02:34 |
roasted | quite a bit, but all for personal use | 02:34 |
hachre | except samba | 02:34 |
roasted | subsonic, owncloud, apache, samba, motion video surveillance, mdadm raid | 02:34 |
hachre | dnot know that motion video thing | 02:35 |
hachre | apart from that | 02:35 |
hachre | they arent huge ram hogs | 02:35 |
hachre | anyway.. if you dont use it much i wouldnt care | 02:35 |
roasted | motion isn't a huge ram hog, but it taxes the cpu a little bit | 02:35 |
hachre | if you really trash it you could put it on the disks to spare the ssd | 02:35 |
hachre | i personally use linux as a desktop on my laptop with a ssd | 02:35 |
roasted | sounds good | 02:35 |
hachre | i dont have any problems | 02:35 |
hachre | laptop has been going for three years | 02:36 |
roasted | I just wasn't sure how swap + SSD would work | 02:36 |
hachre | swap on the ssd and i go way beyond the 4 gb sometimes | 02:36 |
roasted | like if that was a bad idea or anything | 02:36 |
hachre | nah | 02:36 |
qman__ | I run swapless | 02:36 |
qman__ | more RAM would have been cheaper | 02:36 |
hachre | just for the wear and tear | 02:36 |
roasted | do you guys know of a way to suck up the contents of my entire server OS and drop iton an SSD? | 02:36 |
roasted | 500GB HDD right now... want to go to 64GB SSD... | 02:36 |
hachre | I'd use rsync | 02:37 |
roasted | rsync for the OS? | 02:37 |
qman__ | yep, rsync | 02:37 |
hachre | for everything | 02:37 |
roasted | wow | 02:37 |
roasted | I didn't think rsync would work | 02:37 |
qman__ | rsync the files, then install grub to the SSD | 02:37 |
hachre | well you gotta reinstall grub and you have to do the partitioning on the ssd and mkfs | 02:37 |
hachre | thats it | 02:37 |
hachre | rest is rsync | 02:37 |
qman__ | specifically | 02:37 |
roasted | I had the drive prepped already | 02:37 |
roasted | just hooked it up to a sata connector on my laptop and GParted it | 02:38 |
roasted | I just haven't swapped it out yet | 02:38 |
roasted | renovating the basement, so... been pre-occupied | 02:38 |
qman__ | rsync -avh --exclude=/dev --exclude=/proc --exclude=/sys --exclude=/mnt/ssd / /mnt/ssd | 02:38 |
hachre | yup | 02:38 |
hachre | :) | 02:38 |
roasted | qman__: the server will be offline when I rsync. Would the excludes be needed then? | 02:38 |
qman__ | assuming you mount the ssd to /mnt/ssd | 02:38 |
qman__ | nope | 02:39 |
roasted | I can just do rsync -avh /media/hdd /media/ssd ?? | 02:39 |
qman__ | just mount both disks and rsync one to the other | 02:39 |
qman__ | yes | 02:39 |
roasted | well dang | 02:39 |
roasted | that's freakin nice | 02:39 |
hachre | :) | 02:39 |
roasted | taking that down in my notes quick... | 02:40 |
roasted | k, done deal | 02:42 |
roasted | thanks again fellas | 02:42 |
hachre | np | 02:42 |
Falados | Is there a way to secure Tomcat using AppArmor on 12.04? | 02:49 |
Falados | or more generally, applications that run on the JVM | 02:49 |
qman__ | yes, just like any other | 02:52 |
qman__ | you need to configure a profile that allows it the access needed | 02:52 |
Falados | but 'it' is the java binary. which could be used to run other JVM apps - which should have different profiles. | 02:53 |
Falados | yet they all look like the same binary | 02:53 |
Falados | I saw something about ChangeHat, but i cant find much. | 02:53 |
Falados | it was in the SuSE docs | 02:54 |
qman__ | looks like there used to be an apparmor_tomcat but it's been left to rot | 02:55 |
Falados | yeah, i saw that :( | 02:55 |
Falados | it would seem like i'd have to install a JVM per app and secure them that way, or combine the profiles into one (which kindof defeats the purpose) | 02:58 |
qman__ | yeah, I don't really see a way around that; you could make linked copies of the JVM by different names | 02:58 |
qman__ | still messy though | 02:58 |
Falados | AppArmor doesn't follow links to the underlying binary? I guess that would be another way it could work. | 02:59 |
qman__ | given the nature of tomcat and applications that run on it, there probably aren't many people that have this specific need | 02:59 |
Falados | I don't have the specific need just yet - its more of an academic excercise. | 02:59 |
Falados | but i can see it being useful in general | 03:00 |
qman__ | what people probably do in the real world is spin up a VM per tomcat application | 03:00 |
qman__ | offers greater separation and security between them | 03:00 |
Falados | probably for the best then. | 03:00 |
Falados | but I can see if tomcat were to host more than one application, it would make sense to isolate at the servlet level too (like tomcat_apparmor provided) | 03:02 |
Falados | I wonder if it was abandoned due to lack of interest, contributions, or both. | 03:03 |
Falados | since nothing has replaced it | 03:03 |
qman__ | that's likely | 03:03 |
qman__ | there are other considerations when running applications that need to be separate, which are more easily achieved by separating servers | 03:04 |
Falados | yeah. In a prod environment i'd be more inclined to have a single webapp per tomcat install | 03:04 |
qman__ | plus the way things are headed these days is toward preconfigured instances that you fire up on the fly with your application preloaded | 03:04 |
qman__ | "I need six more foos and three bars", click it in your openstack | 03:05 |
Falados | thx for the help qman__ | 03:07 |
LargePrime | what are the downsides of root not being the owner of a file in www-data | 03:20 |
Falados | i think it may be because chgrp can be used to give it away. and if root owns it, then only root can chgrp | 03:24 |
Falados | may be other reasons, could also just be convention | 03:25 |
LargePrime | Falados: but what is the harm in it being given away | 04:12 |
Falados | LargePrime: it depends on what it was changed to and who has access to that new group. It's unexpected behavoir, and should be avoided. | 04:30 |
Falados | LargePrime: but there may be other things that are not coming to mind. Its probably not a large attack vector - but its simple enough to enforce this convention anyway. | 04:31 |
LargePrime | do you have time to discuss more? | 04:31 |
LargePrime | Falados: | 04:32 |
LargePrime | i have several sites i host. like mydomain.com and yourdomain.com and thierdomain.org | 04:33 |
LargePrime | I want you to have rights to yourdomain.com them to have rights to thierdomain, and my web guy to have access to all of them | 04:34 |
LargePrime | www-data need to have access to server the files, and some of the files cannot be made public | 04:34 |
Falados | depends on your particular constriants, but the owner/user permissions are not very granular like that. | 04:35 |
LargePrime | my plan is to create a group for each domain and add web authors to each group as needed | 04:35 |
LargePrime | and set the group as owner | 04:35 |
Falados | there is an ACL implementation i think, but that might be overkill. I'd probably end up giving the web-guy sudo permissions | 04:35 |
LargePrime | sudo is going to be a pita over FTP? | 04:36 |
Falados | oh, these files are managed via ftp? | 04:36 |
LargePrime | yes | 04:36 |
LargePrime | did i miss something obvious? | 04:37 |
patdk-lap | other than ftp should never be used :) | 04:37 |
LargePrime | sftp then | 04:37 |
Falados | you can get more granularity with ACLs: https://help.ubuntu.com/community/FilePermissionsACLs | 04:38 |
Falados | but thats usually not what I see. | 04:38 |
Falados | YMMV | 04:38 |
LargePrime | ok so what is wrong with setting a group as the owner and adding peopel to that group | 04:39 |
Falados | or you can do what Hiroku does, and use git w/ hooks. | 04:39 |
Falados | that way no one owns the deployment files | 04:39 |
LargePrime | what is git with hooks? | 04:39 |
LargePrime | also, note the total noob | 04:40 |
patdk-lap | ya, I have a website that just does git pulls every minute | 04:40 |
Falados | git is source control management | 04:40 |
LargePrime | i know | 04:40 |
Falados | like mecurial, or bazaar | 04:40 |
Falados | and a post-receive hook is just a bash script that you can create that will deploy the files | 04:41 |
LargePrime | I think that is gonna be kinda tuff for my web guys | 04:42 |
Falados | actually, not just bash, could by py, perl, ruby | 04:42 |
Falados | Well, if dont want to change your workflow, then maybe you'll have to set up ACLs. | 04:42 |
Falados | they did that at my University for web hosting with FTP. | 04:42 |
LargePrime | because granting ownership to a group is an issue? | 04:42 |
Falados | yeah, it is not granular enough. You can't give multiple groups access to the same files | 04:43 |
LargePrime | i cant make one group owner and another the group? | 04:43 |
LargePrime | does a user have to be owner? | 04:44 |
Falados | the http server needs to have read (and in some cases write) access to the files and folders it needs. It can get this only though those 3 ways: | 04:45 |
Falados | user , group, other | 04:45 |
Falados | other is too broad | 04:45 |
Falados | gives every accoutn access - so thats a cop-out | 04:46 |
LargePrime | its user | 04:46 |
Falados | if its user is web-guy, then they have one set of permissions, and if group is www-data then www-data has another set of permissions, but you cant introduce a third into this without ACLs. | 04:46 |
LargePrime | and user cant be a group? | 04:48 |
Falados | correct | 04:48 |
Falados | a user is always a user. | 04:48 |
LargePrime | bah | 04:48 |
Falados | with ACLS you can give permissions to arbitrary users and groups | 04:48 |
LargePrime | but i have to take down teh server to implement acls | 04:49 |
Falados | yeah, you have to re-mount | 04:49 |
Falados | you can get by with playing with users and groups, but you'll find that its really too course and you'll end up giving too much permissions to people | 04:51 |
Falados | the only solution that doesnt need a remount would be a change in deployment process. | 04:51 |
Falados | using FTP as a staging area, and a script run as www-data to deploy from staging | 04:52 |
Falados | could be a simple as rsync or as sophisticated as triggering a job in a CI server like jenkins | 04:52 |
LargePrime | how can www-data deploy files it might not have read or write access too? | 04:54 |
Falados | well, you could also run the script as root too | 04:54 |
Falados | no one should be running that script besides cron anyway | 04:54 |
Falados | but your refresh-rate won't be immediate with cront. it will take about a minute | 04:55 |
LargePrime | there must be tonnes of websites that have virtual hosts. How do tehy handel these things | 04:55 |
Falados | probably using jails/chroot | 04:56 |
LargePrime | and make webguy the owner? | 04:56 |
Falados | and the web-guy has total access to the server either via SSH, or cpanel, or something | 04:56 |
Falados | although I havn't set up a shared hosting server, so i dont have a specific implementation I can reference. | 04:57 |
Falados | perhaps solutions like CPanel hide all of these details for you. | 04:58 |
Falados | s/for/from | 04:58 |
Falados | there are probably open-source cpanel-like applications that can help in this regard. Just a quick google search brings up a wikipedia page on it: | 05:09 |
Falados | en.wikipedia.org/wiki/Comparison_of_web_hosting_control_panels | 05:09 |
Falados | im out. hope this helps some | 05:11 |
jdstrand | Falados: while there probably won't be anyone there right now, you might bring up apparmor and tomcat in #apparmor on OFTC | 05:37 |
jdstrand | you can get a definitive answer on how it (used to) work, where it is now, etc | 05:38 |
billy_ran_away | Anyone up and active? | 06:41 |
azKennett | I'm new to Ubuntu Server but I'm trying to setup a dhcp server. Can anyone point me to a tut/guide. Or take the time to help me out. Thanks. | 06:42 |
billy_ran_away | azKennett: http://askubuntu.com/questions/140126/how-do-i-configure-a-dhcp-server | 06:43 |
azKennett | Thanks billy_ran_away | 06:43 |
azKennett | billy_ran_away, I followed the guide and I get error, "stop: Unknown instance: start: Job failed to start" any ideas? | 06:51 |
billy_ran_away | azKennett: Yea check /var/log/syslog and look for "dhcpd: Open a socket for LPF: Permission denied" | 06:52 |
billy_ran_away | azKennett: If you have that then refer to this bug: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1107686 | 06:53 |
uvirtbot | Launchpad bug 1107686 in isc-dhcp "dhcpd: Open a socket for LPF: Permission denied" [Undecided,Fix released] | 06:53 |
azKennett | billy_ran_away,I'll look | 06:53 |
azKennett | billy_ran_away: Didn't see it. | 06:57 |
ak5 | hi, I get an error when doing `sudo apt-get update` it stalls at "Reading package lists... 99%" then prints out "Reading package lists... Error!" | 07:16 |
ak5 | I am using amazon ec2 | 07:17 |
SpamapS | ak5: "Error!" usually has a message with it. | 07:35 |
ak5 | SpamapS: this time it doesn't. I have the same error as this guy http://askubuntu.com/questions/259114/reading-package-lists-in-update-apt-get-ubuntu-12-04-vps | 07:35 |
SpamapS | ak5: weird | 07:36 |
ak5 | SpamapS: indeed | 07:36 |
ak5 | SpamapS: any ideas? | 07:38 |
SpamapS | ak5: none I'm afraid. :-/ | 07:42 |
ak5 | SpamapS: I am going to change mirrors | 07:48 |
ak5 | ls | 07:53 |
jamespage | xnox, great - I thought that was the case; I revised that patch to be backwards compat as well - its for 2.4.3 which I'm currently working on the merge for | 08:07 |
sies34 | has anyone tested ZFS with Ubuntu Server 13.04? | 08:18 |
AfroMark | Hi all. I'm setting up ubuntu server for the first time and have a few general questions. Anyone around to help? | 08:24 |
sies34 | I have no experience setting up a server with ubuntu, only with debian | 08:28 |
AfroMark | I'm hoping to use the server as a LAMP server, a printer server for home, and its main use will be as a minecraft server. What sort of security precautions should I take? | 08:28 |
AfroMark | Hi sies34. These are only general questions though, so perhaps you'd be able to help anyway. | 08:29 |
sies34 | at what level? | 08:29 |
sies34 | go ahead | 08:30 |
AfroMark | First question is above. What do you mean "at what level"? I know network/server security is an expansive subject, but I'm just looking for a simple "best practice" to ensure my home network isn't compromised. | 08:31 |
sies34 | best first line of defense is a firewall | 08:34 |
AfroMark | So for example, a firewall is a given. | 08:34 |
AfroMark | Haha. Great minds... | 08:34 |
sies34 | do you have a router? | 08:34 |
blkperl | AfroMark: or you can use iptables | 08:35 |
AfroMark | Yes - the server will have a wired connection to a wireless modem/router will serves the house | 08:35 |
blkperl | first thing you should do is disable root login via password, use ssh keys or disable it all together | 08:35 |
sies34 | you can choose between iptablet (on your linux server) or your built-in firewall of the router | 08:39 |
AfroMark | I read something about disabling root password login. Does that only account for remote access? I don't want it to be a pain every time i try to "sudo" something | 08:40 |
sies34 | usually to configure the firewall of the router better/easier | 08:40 |
sies34 | yes | 08:41 |
sies34 | afer you login with ssh you can 'su' | 08:41 |
sies34 | it also helps if you forward port 22 to another port in your router | 08:44 |
sies34 | for instance 45893 | 08:44 |
blkperl | AfroMark: sudo is different, and yes in the ssh config for remote access | 08:44 |
rbasak | I feel that changing ssh port is cargo culting nowadays: http://bsdly.blogspot.co.uk/2013/02/theres-no-protection-in-high-ports.html | 08:45 |
sies34 | there are many port scans on port 22 | 08:45 |
rbasak | I lock down ssh users with AllowUsers in /etc/ssh/sshd_config. Then you don't have to worry about accidentally having a weak password on some other account. | 08:46 |
AfroMark | On the whole, how accurate is the information here? http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/ | 08:46 |
rbasak | Then make sure you either have very strong passwords on the AllowUsers accounts, or disable password auth in sshd_config and use keys only. | 08:47 |
rbasak | I'd make sure that the minecraft daemon is running as its own special user, and constrain it with AppArmor. | 08:47 |
sies34 | indeed better to use a ssh-key | 08:50 |
rbasak | LAMP servers are particularly vulnerable. I'd put that in a separate VM, or at least very carefully constrain it with AppArmor. | 08:50 |
AfroMark | Thanks all for the advice | 08:52 |
AfroMark | Obviously there are quite a few things i need to look into! | 08:52 |
AfroMark | One last question - I have a NAS attached to my router. Would I be able to run an ftp server allowing access to the network storage? Or is that opening up even more security concerns? | 08:54 |
nfrmatk | I wouldn't double dip like that if I had other options. Minecraft server/print server/FTP server is a lot to keep in mind when starting out. | 08:57 |
sies34 | use NFS | 08:57 |
rbasak | Set up two VMs. One for services to the outside world, and one for services to your LAN. | 08:57 |
sies34 | when you nas supported NFS | 08:58 |
nfrmatk | rbasak is thinking in the right direction. Separate out your tasks. | 09:00 |
sies34 | or use smbmount on your server | 09:01 |
AfroMark | Will 2 VMs be a drain on resources? It may be that I'm trying to accomplish too much too soon. | 09:08 |
AfroMark | The computer I'm planning to use is fairly old. 2.4Ghz CPU and 2gig RAM. | 09:09 |
AfroMark | I apologise in advance if I'm being a massive newbie. | 09:10 |
nfrmatk | Don't even worry about it. | 09:10 |
nfrmatk | I wish I'd known there was an ubuntu-server channel when I started. | 09:11 |
nfrmatk | 2 VMs will probably be a bit much for that build... | 09:11 |
nfrmatk | You can just test and develop on that machine if you hold off forwarding any ports on your router til you have your ideal configuration. | 09:13 |
AfroMark | I'd better be off now. Thanks to everyone for the advice! It's given me plenty to think about. | 09:24 |
AfroMark | It's likely I'll be back soon though! | 09:25 |
ak5 | hi guys, I have an ubuntu instance that gets an error at `sudo apt-get update` - anyone else have this? It outputs: Reading package lists... Error! And nothing else | 09:54 |
lotia | Is there a recommended way for conditionally setting envionment variable. To elaborate, files ending in .sh on /etc/profile.d are sourced by all users. What if I want to source some env vars in an init script. | 10:42 |
lotia | I don't want to set those vars directly, because several scripts may use them. | 10:43 |
jamespage | lotia, /etc/default/<NAME> | 10:47 |
Daviey | jamespage, rbasak, any other english folk - happy may day. Will you be doing a may pole dance later? | 11:03 |
Daviey | I already have bells on my shoes, all set. | 11:03 |
jamespage | Daviey, already have me bells on | 11:03 |
jamespage | just about to go get my big stick | 11:03 |
Daviey | heh. | 11:05 |
lotia | jamespage: thank you | 11:11 |
zul | workers of the world unite! | 11:11 |
=== stan_ is now known as Guest98943 | ||
Guest98943 | how often /var/tmp is cleared in Ubuntu? | 12:13 |
=== Guest98943 is now known as stan_0001 | ||
stan_0001 | Is /vat/tmp cleared automatically in Ubuntu? | 12:14 |
jacobw | stan_0001: /tmp is a ramdisk, it exists in ram only. It's not that it's cleared on shutdown, it's that it doesn't survive shutdowns at all. | 12:17 |
stan_0001 | jacobw, i see thanks. | 12:18 |
jacobw | stan_0001: /var/tmp isn't a ramdisk, it's just a directory in the filesystem on the disks, it's just like any other directory | 12:18 |
jacobw | stan_0001: Consider symlinking to /tmp or mounting /var/tmp as a ramdisk | 12:21 |
=== Jikan is now known as Jikai | ||
=== Jikai is now known as Jikan | ||
slestak | im seeing a strange screen artifact using byobo + tmux that doesnt occur when using straight screen. | 13:31 |
slestak | i dont use tmux outside of byobu, | 13:31 |
slestak | not sure if this would be a good channel to discuss this since byobu is an ubuntu creation | 13:31 |
slestak | sometimes when i resume a disconnected session, I have a {window|pane|whoknows} off to teh side that seems to be filled with period characters. I dont think i can switch to it, and I cannto make it occur on demand, but it does occure pretty frequwently. | 13:33 |
slestak | It might be related to resuming a session with a terminal with a different windo size thatn the one detached | 13:33 |
slestak | anyone seen that on their installs? I am using the current putty to connect to ubuntu 12.04.2 | 13:34 |
slestak | i'll get a screenshot next time | 13:35 |
slestak | kirkland: ping, have you seen this happen? | 13:36 |
kirkland | slestak: hi | 13:36 |
slestak | good mornig man. | 13:36 |
slestak | thsi is not a big issue, just somethign im tryng to figure out. if you think it is def a tmux thing i'll go talk to them | 13:37 |
kirkland | slestak: it's just like you say -- when you see the "periods", you're connecting from a terminal larger than some other terminal that's also connected | 13:37 |
kirkland | slestak: it is a feature/function of tmux | 13:37 |
kirkland | slestak: you can force disconnect the other client | 13:37 |
kirkland | slestak: let me find the command/key for that | 13:38 |
slestak | im trying to see where the feature part of that comes in. for instance, doesnt gnu screen handle that a little more gracefully? | 13:38 |
slestak | i can look at the docs, thanks for the pointer | 13:38 |
kirkland | slestak: I prefer tmux's handling of it, actually | 13:39 |
slestak | cool, i'll check it out. | 13:40 |
kirkland | slestak: but that's probably just preference | 13:40 |
kirkland | slestak: okay, you can do this... | 13:40 |
slestak | just wasnt understanding the implemetation | 13:40 |
kirkland | slestak: if your escape key is ctrl-a, then try pressing ctrl-a-D | 13:40 |
kirkland | slestak: note that's a capital D | 13:40 |
kirkland | slestak: that will show you a list of attached clients | 13:40 |
kirkland | slestak: and the geometry of their screens | 13:40 |
kirkland | slestak: pick the one you want to kill (probably the smallest geometry) | 13:40 |
kirkland | slestak: and you'll detach that client's connection | 13:41 |
kirkland | slestak: I think there's a byobu feature request to add a hotkey to "detach all clients not myself" | 13:42 |
slestak | cool | 13:42 |
slestak | thanks for byobu | 13:42 |
kirkland | slestak: you bet! thanks for using it! | 13:42 |
billy_ran_away | Can anyone explain why my pvscan isn't showing the correct volumes and it says something about "Incorrect metadata area header checksum" http://pastie.org/7746710 | 13:51 |
=== wedgwood_away is now known as wedgwood | ||
=== bladernr` is now known as bladernr | ||
pmatulis | billy_ran_away: prolly b/c lvmscan is looking at non-LVM partitions | 14:33 |
billy_ran_away | pmatulis: Yea I was hoping that was it, but it's not. | 14:33 |
billy_ran_away | pmatulis: I'm closer to solving I think, thanks for the suggestion though. | 14:34 |
pmatulis | billy_ran_away: ok, report back when you find out more | 14:34 |
billy_ran_away | pmatulis: Okay thanks | 14:35 |
=== Jikan is now known as Jikai | ||
=== dosaboy_ is now known as dosaboy | ||
=== Jikai is now known as Jikan | ||
=== Ursinha is now known as Ursinha-afk | ||
=== Ursinha-afk is now known as Ursinha | ||
RoyK | anyone here that can explain where and how md arrays are assembled? seems lucid assembles nested arrays fine, but precise and later does not. it assembles the base arrays, but not the ones on top (as in raid-5+0 etc). See bug 1171945 for details. | 15:50 |
uvirtbot | Launchpad bug 1171945 in mdadm "Nested RAID levels aren't started after reboot" [Undecided,Confirmed] https://launchpad.net/bugs/1171945 | 15:50 |
parallel21 | Anyone know how I can manage user's home directories across a series of machines? | 16:09 |
Corey | parallel21: Salt, ldap, puppet, chef, cfengine, spine, rsync, and NFS mounting, just to name a few. | 16:27 |
genii-around | My votes with rsync. | 16:31 |
Corey | Oh god that's horrible. | 16:33 |
Corey | genii-around: I use git / vcsh. | 16:33 |
genii-around | I've heard of using git for this sort of thing but never tried it myself. | 16:34 |
parallel21 | I'm not so concerned about dotfiles, but stuff like text files and managing user profiles and passwords across machines. I'd like to be able to add an ssh user across a set of a machines | 16:43 |
Corey | parallel21: Yes, welcome to the world of either LDAP, or configuration management. Your pick. | 16:45 |
Corey | parallel21: And really, ssh keys make more sense in this decade. | 16:46 |
Corey | parallel21: How many servers are we talking? | 16:46 |
parallel21 | Corey: Under 10… I'd really like to use something like puppet. But I'd like something I could deploy more quickly, as I know little about puppet. LDAP would be OpenLDAP? Ssh-keys wouldn't just fix it would it? They'd need a home folder and the like? | 16:49 |
Corey | parallel21: saltstack.org is probably your best bet. | 16:49 |
parallel21 | Corey: This looks awesome | 16:51 |
Corey | parallel21: Thank you. #salt is also a good resource here. | 16:52 |
resno | parallel21: look at ansible | 17:04 |
resno | #ansible also | 17:04 |
resno | its all ssh based command, but can build up if needed | 17:05 |
GeminiDomino | I'm trying to set up postfix with SMTP AUTH on 12.04 but the guide on help.ubuntu.com seems to be out of date with regard to dovecot configuration. Does anyone know of another resource? | 17:05 |
parallel21 | GeminiDomino: I've been doing the same | 17:11 |
GeminiDomino | Any luck? | 17:11 |
parallel21 | GeminiDomino: Where are you having a problem? | 17:11 |
parallel21 | Going in works… smtp auth out does not | 17:12 |
GeminiDomino | I'm not getting the "250-AUTH xxx" lines in the ehlo response | 17:12 |
parallel21 | Hrmmm.. | 17:12 |
GeminiDomino | Yep. Just did it from scratch again... I get the STARTTLS announce, but no auth... | 17:21 |
GeminiDomino | I never thought I'd miss Sendmail. <_< | 17:37 |
RoyK | postfix? | 17:38 |
GeminiDomino | That's what's making me miss sendmail. :) | 17:39 |
parallel21 | Yeah, I was thinking about sendmail as well. What's the diff? | 17:40 |
* RoyK mumbles something about PEBKAC | 17:41 | |
parallel21 | pbkac? | 17:41 |
GeminiDomino | parallel21: Sendmails configuration files make perl look readable. :) | 17:43 |
psivaa | hallyn: hello :) | 17:52 |
psivaa | 'sudo kvm -hda test.img -monitor stdio' returns 'Could not initialize SDL(No available video device) - exiting' on our precise servers | 17:53 |
hallyn | psivaa: what happens when yo type 'xterm' ? | 17:54 |
hallyn | psivaa: shorter answer: add '-vnc :1' | 17:54 |
psivaa | hallyn: ok thanks, adding '-vnc:1' makes it work, xterm is not installed though | 18:02 |
=== Ursinha-afk is now known as Ursinha | ||
=== gary_poster is now known as gary_poster|away | ||
=== gary_poster|away is now known as gary_poster | ||
=== gary_poster is now known as gary_poster|away | ||
=== gary_poster|away is now known as gary_poster | ||
=== Ursinha is now known as Ursinha-afk | ||
=== Ursinha-afk is now known as Ursinha | ||
=== smb` is now known as smb | ||
bananapie | Can I unbond two network interfaces that were bounded at boot using network/interfaces without risking the stability of the production server or the second bonded interface without rebooting the server? | 20:56 |
bananapie | I tried ifenslave -d bond1 eth2 eth3 | 21:03 |
bananapie | ok it worked, it just took a few seconds | 21:06 |
bananapie | there was probably a machine whose arp tables didn't update or something | 21:06 |
bananapie | thanks | 21:06 |
=== mikal__ is now known as mikal | ||
Aison | I upgraded my testserver to raring, now it no longer boots. In recovery mode I can see some output from the kernel, but after | 21:55 |
Aison | running scripts/init-bottom | 21:56 |
Aison | it hangs | 21:56 |
Aison | in ubuntu I heard that I should use nomodeset as kernel options | 21:56 |
Aison | but that don't help | 21:56 |
Aison | any hints? with grml I can boot into the system and changeroot | 21:58 |
Marlinc | What packages do you need to install on a MAAS node? | 21:58 |
Marlinc | In order to connect it to the MAAS server | 21:58 |
markthomas | Aison: can you boot it in rescue mode and mount the root filesystem? | 22:28 |
Aison | markthomas, no, the system hangs directly after printing the message | 22:30 |
Aison | Begin: Running /scripts/init-bottom ... done. | 22:30 |
Aison | then I can't do anything | 22:30 |
markthomas | Aison: That's from a cold boot? Hmmm | 22:31 |
Aison | yes | 22:31 |
markthomas | Aison: how about a rescue CD? We want to try to take a look at syslog. | 22:32 |
Aison | I think I have to create a rescue CD first :) | 22:33 |
sarnold | Aison: maybe try init=/bin/sh before burning a CD? :) | 22:34 |
Aison | uhm, where should I try that? :P (maybe stupid question) | 22:35 |
thesheff17 | does anyone have any experience with the JMX and tomcat... I keep getting Debugger failed to attach: handshake failed - received >< - expected >JDWP-Handshake< | 22:35 |
Aison | grub? | 22:35 |
cydizen | Aison: I might have missed an earlier post but have you tried to boot in Single User mode? (also from grub) | 22:35 |
Aison | cydizen, no | 22:35 |
sarnold | Aison: yes, from grub, you can add that init=/bin/sh to the kernel command line | 22:36 |
Aison | there I can also add single for single user mode? | 22:37 |
cydizen | Aison: yes you can | 22:37 |
sarnold | single is more polite :) | 22:37 |
cydizen | I would only recommend trying one of our methods at a time though. Process of elimination | 22:37 |
=== bigjools_ is now known as bigjools | ||
markthomas | Agreed. Booting from a rescue CD while trying single-user and init=/bin/sh...overkill, perhaps. | 22:39 |
markthomas | ;) | 22:39 |
cydizen | thesheff17: when you do a ps -ef and look at your java line, does it explicitly state JMX and port number? | 22:39 |
Aison | cydizen, well, single was already the (because of recovery mode) | 22:40 |
Aison | so that is tested | 22:40 |
Aison | also nomodeset | 22:40 |
thesheff17 | cydizen, it does | 22:40 |
Aison | with init=/bin/sh I get a kernel panic :) | 22:41 |
cydizen | Aison: What version did you upgrade from? | 22:41 |
Aison | 12.something | 22:42 |
Aison | quantal? | 22:42 |
Aison | I also tested it on a second machine with a brand new quantal 12.10 installation | 22:43 |
Aison | same problem there | 22:44 |
Aison | on the other hand, it worked on my notebook | 22:44 |
Aison | but there it was xubuntu | 22:44 |
markthomas | Aison: If you can't get grub to boot into single-user mode in any variant, it's time to grab optical media. | 22:45 |
cydizen | I agree with markthomas on that | 22:45 |
Aison | markthomas, what should I do? download ubuntu server and then there is a rescue mode? | 22:45 |
cydizen | thesheff17, in my experience you might have something conflicting on the specified port. Can you change it and try again? | 22:47 |
cydizen | else that port is being block by a segment of your network | 22:48 |
thesheff17 | its weird I tried port 8001 instead of 8000...same problem...I can telnet to the port fine...I even tried tunneling through ssh and it throws the same error | 22:49 |
markthomas | Aison: Try grabbing the desktop version. The live CD that it launches will give you a comfy working environment to mount the server filesystem. Assuming you don't have any obscure controller drivers compiled into your kernel... | 22:49 |
markthomas | thesheff17: you can't even tunnel and connect to localhost? | 22:51 |
thesheff17 | markthomas, let me try | 22:52 |
thesheff17 | markthomas, it connected then through a giant stack trace | 22:57 |
thesheff17 | I wonder if it is because I'm using the openjdk vs the sun jdk | 22:58 |
markthomas | thesheff17: I don't know. I'm not a Java dev. However, if the app can receive connections from localhost but not externally, then that does sound like a network issue. Just to confirm: you tried turning off ufw and flushing the iptables rules? | 23:01 |
cydizen | let's check a couple of things | 23:02 |
cydizen | in your running process, -Dcom.sun.management.jmxremote.port=????? | 23:02 |
cydizen | what port is specified there | 23:02 |
thesheff17 | markthomas, yea I can even telnet from my local machine to it....and it throws that handshake error...JMX just doesn't like me. | 23:07 |
markthomas | thesheff17: we're rapidly reaching the limits of my Java expertise, if we're not already there. cydizen? | 23:08 |
sarnold | markthomas: btw, it is possible for an application to bind a port to the localhost ip address and thus only accept connections from localhost | 23:09 |
thesheff17 | oh sorry cydizen I didn't see that message | 23:09 |
thesheff17 | I have port 8000 | 23:09 |
sarnold | markthomas: no firewall necessary | 23:09 |
thesheff17 | JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,server=y,address=8000,suspend=n" | 23:09 |
thesheff17 | could my app make the JMX stack trace like that...maybe I should try to remove my app and try to connect again | 23:10 |
markthomas | sarnold: does that JAVA_OPTS look right to you? | 23:11 |
thesheff17 | its the stock from /etc/default/tomcat7 | 23:11 |
sarnold | markthomas: sorry, that's also beyond my java :( hehe, I just know POSIX API... | 23:11 |
markthomas | address=8000? Is that right? | 23:14 |
thesheff17 | well that it what was in the /etc/default/tomcat7 file...it stack traced even without my app loaded | 23:14 |
markthomas | thesheff17: guessing wildly, it sounds like you've got java runtime issues. | 23:15 |
thesheff17 | yea its weird...I'm going to try and start up a new lxc container and do some testing...thx all for the help | 23:15 |
cydizen | thesheff17, im sorry I was disconnected. Did you verify you are connecting to that port? | 23:18 |
cydizen | (whatever is listed) | 23:18 |
cydizen | If so the next thing we want to verify is: -Dcom.sun.management.jmxremote.authenticate=false | 23:19 |
cydizen | (unless you set up auth specifically ) | 23:19 |
thesheff17 | so the port is set to 8000...I'm forwarding X to my local machine and running jconsole | 23:19 |
thesheff17 | and then I got a giant stack trace | 23:19 |
thesheff17 | I'm loading up an lxc-container and verifying I didn't break something with the installation of tomcat | 23:20 |
cydizen | in the stack trace are you getting an X11 error? | 23:21 |
thesheff17 | no it looks like a java.util error | 23:21 |
cydizen | boy, you have a good one brewing today dont you? :) | 23:22 |
sarnold | oh you get a stackdump? can you pastebin it? | 23:22 |
thesheff17 | yea this is def one of those crazy days :) | 23:22 |
thesheff17 | yea one sec for the pastebin | 23:24 |
thesheff17 | I'm trying it in this new container | 23:24 |
thesheff17 | and see if it fails | 23:24 |
=== Gasseus is now known as Rallias | ||
thesheff17 | wow it happened with the stock tomcat and openjdk6 http://paste.ubuntu.com/5624364/ | 23:26 |
sarnold | darn, nothing obvious to me. that 99% used makes me wonder but I haven't got a clue how to read it | 23:29 |
thesheff17 | yea I installed openjdk-6-jdk tomcat7 and uncommented JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,serve | 23:33 |
thesheff17 | r=y,suspend=n" and it blows up | 23:33 |
cydizen | what port is tomcat listening on? (server.xml) | 23:34 |
thesheff17 | it defaults to 8080 | 23:35 |
cydizen | just curious thesheff17, since you have access to the server, does catalina.out contain the information you are looking for to begin with? | 23:46 |
thesheff17 | cydizen, well we are doing some load testing and third party company is coming in and wanted JMX access and I thought I could get this working....I'm just a sys admin | 23:47 |
cydizen | other than that, the only other thing I can see is setting tomcat to run with debugging via options in catalina.sh | 23:47 |
cydizen | export JPDA_ADDRESS=8000 | 23:48 |
cydizen | export JPDA_TRANSPORT=dt_socket | 23:48 |
cydizen | bin/catalina.sh jpda start | 23:48 |
Aison | markthomas, how can I use now the disk to read the logs? | 23:48 |
Aison | or the rescue the system | 23:48 |
markthomas | Aison: Have you booted to the live CD? | 23:49 |
Aison | yes | 23:51 |
Aison | I can also mount the harddisk | 23:51 |
Aison | chroot | 23:51 |
Aison | etc... | 23:51 |
Aison | but no I idea what is broken | 23:51 |
Aison | so no idea where to start | 23:51 |
markthomas | Aison: okay. So, now cd into /mnt/var/log/ or whatever mount point you're using, and let's have a look at the syslog log file. | 23:52 |
Aison | well, syslog is not touched since the upgrade to raring | 23:53 |
=== markthomas_ is now known as markthomas | ||
markthomas | Okay. Look for anything that has been. | 23:54 |
Aison | so when I boot the kernel now, the drive is not mounted and no logs a written | 23:54 |
sarnold | Aison: you're not that interested in new logs, just old logs | 23:54 |
markthomas | Okay. Give me one sec. | 23:55 |
sarnold | markthomas: heh, how'd you upset services so badly? | 23:55 |
markthomas | Sorry? | 23:55 |
sarnold | markthomas: disconnected by services and so forth | 23:55 |
markthomas | Had to reboot. On my tablet until it comes back up. | 23:56 |
markthomas | Stupid nickserv. | 23:56 |
sarnold | aha :) | 23:56 |
skraito | hellow | 23:57 |
skraito | anyone here | 23:57 |
skraito | is ubuntu server free | 23:57 |
skraito | 0x71 would like to code ubuntu server hardening script | 23:58 |
skraito | will the apt-get upgrade will be free ? | 23:58 |
sarnold | skraito: yes, completely free. | 23:58 |
skraito | ah ic so apt-get upgrade will work without license right ? | 23:58 |
skraito | i am trying to play with it now | 23:59 |
sarnold | skraito: well, everything is -licensed-, but with an opensource license that gives you rights and responsibilities. The different components can have different licenses... | 23:59 |
skraito | http://0x71.org/2013/05/01/0x71-0day-bash-keylogger-release/ | 23:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!