[00:02] <halvors> Hi! Seems like AppArmor is blocking bind, anyone know how to fix that?
[00:02] <halvors> Jun  6 01:03:58 s2 kernel: [ 4787.970523] type=1400 audit(1370473438.770:18): apparmor="DENIED" operation="link" parent=1 profile="/usr/sbin/named" name="/var/lib/bind/db-leUm8nfK" pid=5161 comm="named" requested_mask="l" denied_mask="l" fsuid=0 ouid=0 target="/var/lib/bind/drommelan.com.hosts"
[00:03] <sarnold> hey halvors
[00:03] <halvors> sarnold: Hi! :)
[00:04] <halvors> I'm trying to sync from master dns server to slave dns server.
[00:04] <halvors> Syncing works, but seems like apparmor is blocking BIND to save the zones to disk :(
[00:04] <sarnold> halvors: in /etc/apparmor.d/usr.sbin.named you'll need to add a line like "link /var/lib/bind/db-* /var/lib/bind/*.hosts,"
[00:05] <sarnold> sigh
[00:05] <sarnold> halvors: in /etc/apparmor.d/usr.sbin.named you'll need to add a line like "link /var/lib/bind/db-* -> /var/lib/bind/*.hosts,"
[00:05] <sarnold> (note the '->')
[00:09] <halvors> sarnold: Thank you very much :) That works like a charm :D
[00:11] <sarnold> halvors: excellent; would you mind filing a bug against bind with this?
[00:22] <cellofellow> I'm setting up an email hosting service. Main customer uses Mail.app on Mac OS X, which when you add an account tries to connect to autodiscover.example.com. Currently that will just serve up a redirect webpage.
[00:22] <cellofellow> Question: how do find docs on implementing this autodiscover magic?
[00:27] <qman___> said autodiscover is an MS exchange thing
[00:27] <qman___> so unless you have MS exchange or an exchange compatible server, it won't do you any good
[00:28] <cellofellow> ok
[00:28] <cellofellow> Dumb thing is we have *.mydomain.com resolving in DNS, so it still hits something when it looks for autodiscover instead of just moving along.
[00:29] <cellofellow> so, there's no way to implement that exchange thing?
[00:29] <qman___> yeah, that's just one of many reasons that wildcard DNS is a pain
[00:29] <qman___> you'd need an MS exchange compatible server such as zimbra or openchange
[00:29] <qman___> and then you'd have to make autodiscover point at it
[00:30] <cellofellow> hm
[00:30] <qman___> (that assumes those support autodiscover, I don't know if they do(
[00:30] <cellofellow> hey, thanks
[00:30] <cellofellow> Gonna stick to dovecot+postfix, and let Mail.app be painful I think.
[00:30] <qman___> easiest workaround would be to make autodiscover point to an unresolvable location
[00:31] <cellofellow> true
[00:39] <sarnold> can you add a rule just for that to aim for 127.0.0.1? or add something in your webserver to handle that location with a 404 or 403? perhaps some combination would make it not so painful..
[00:40] <qman___> right, if you set up a public A record for it pointing to 127.0.0.1 it would fail quickly
[00:42] <qman___> or if you're concerned about people having local web servers, 127.255.255.255
[00:42] <qman___> since pretty much nothing is going to bind to that
[00:43] <sarnold> heh, nice
[00:44] <halvors> sarnold: I don't know if it's a bug, i've been using Webmin, and the zones are saved in a different place than usual on Ubuntu. So i don't think it actually should be fixed? :)
[00:45] <qman___> !webmin
[00:45] <qman___> that's why
[00:45] <halvors> Or, wait? Does it save them in the actual right place?
[00:45] <sarnold> halvors: sadly I don't know enough BIND to know ..
[00:45] <halvors> qman_: I know, and thats whay there shouldn't be any bug reports...
[00:45] <sarnold> halvors: but at least a bug report might save the next guy a bit of trouble
[00:46] <sarnold> .. and get the problem in front of someone who probably knows bind better than I do :)
[00:46] <qman___> that's really all it is, webmin is saving things in a different location
[00:46] <qman___> the apparmor profile is really strict on bind, due to its long history of exactly that sort of exploit
[00:46] <sarnold> oh right, qman___ knows bind :) hehe
[00:47] <qman___> people have been chrooting bind for a decade
[00:48] <qman___> so, in order of preference, don't use webmin, modify the apparmor profile, or turn off apparmor
[00:49] <halvors> qman___: :)
[00:50] <halvors> qman___: I know Webmin isn't supported, but i've been using it for years, never had a problem like this. The only reason i asked is that i don't actually knows AppArmor :)
[00:50] <qman___> problems like this one are exactly why we have that bot message
[00:51] <halvors> So Webmin is working well, even if its not supported :) There is actually nothing like it out there (As far as i know) :)
[00:51] <qman___> webmin does silly things that leave nasty surprises under some circumstances
[00:51] <halvors> qman___: But it's easy to modify webmins default configuration so that it works :)
[00:51] <halvors> This is an example of that, it's not a crash :)
[01:14] <mgw> smoser: just read http://ubuntu-smoser.blogspot.co.uk/2013/02/using-ubuntu-cloud-images-without-cloud.html
[01:15] <mgw> In relation to this, I have a question about how one would use a custom cloud-init data source (with the api described here: https://cloudinit.readthedocs.org/en/latest/topics/datasources.html) instead of a data source file.
[01:21] <mgw> does anybody know how to do that?
[01:59] <sarthor> Hi, what software or package I will need that my ubuntu-server can translate pdf files to postscrip for my network dot matrix printer
[02:00] <sarnold> sarthor: ghostscript has a pdf2ps tool
[02:01] <sarthor> sarnold: ghostscrip-cups installed already and my printer is printing raw text, any Idea?
[02:02] <sarthor> sarnold: using frontaccounting software on ubunter-server and printer is shared on win7 pc. using lpr protocal
[02:02] <sarnold> sarthor: perhaps the printers.conf (iirc) from cups lets you specify a filter for certain file types..?
[02:04] <sarthor> sarnold: here is one image https://www.dropbox.com/sh/e8390d5gbqbolb9/Tihn1su5l-#f:Front-Accounting-Network-printer.png
[02:04] <sarthor> that 192.168.1.148 is winodws 7 machine and printer is installed and shared on that pc.
[02:04] <sarthor> sarnold: as I am not an expert, but I think it will not need any cups or translator?
[02:05] <sarnold> sarthor: no idea there, I've not done windows printing since NT 4 ..
[02:06] <sarthor> sarnold: great, Thanks brother, Googling.
[02:06] <sarnold> sarthor: good luck :)
[02:25] <resno> hey yall. i need some suggestions about things to install.
[02:26] <resno> i've got monitoring setup, should i be aggregating logs?
[04:44] <Chunky56> can anyone help me with a raid issue?
[04:55] <mgw> What's the best way to take a prebuilt cloud image and add some more packages to it?
[04:56] <Chunky56> I'm not sure anyone is here to answer questions
[05:08] <Patrickdk> chunky, it helps if a relevent question is asked
[05:08] <Patrickdk> !ask
[05:08] <Patrickdk> since you failed to ask a proper question, I cant answer you
[05:08] <Patrickdk> and since I'm going to bed now, good luck
[05:11] <Chunky56> oh sorry
[05:12] <Chunky56> I was away from this window for a sec
[05:13] <Chunky56> Well if anyone is reading and can help, I have a software RAID5 array on Ubuntu Server and one of my hard drives died. I got a new one and was trying to add it, but accidentally set faulty one of my OTHER hard drives, and now cannot add this other hard drive back into the array
[05:14] <Chunky56> How do I manually add this other hard drive that still has the raid data and still knows it was part of the array back into the array?
[05:19] <qman___> Chunky56, relevant to you: http://www.linuxquestions.org/questions/linux-server-73/mdadm-raid-5-single-drive-failure-644325/
[05:20] <qman___> basically you force assemble
[05:21] <qman___> then add the new drive and it rebuilds
[05:23] <Chunky56> I see the command at that link--do I use the existing /dev/md127 (which is what my raid is called) or do I specify a new one?
[05:24] <Chunky56> The mdadm --assemble --force /dev/md0 <device 1> <device 2> ... <device N> command I mean
[05:34] <Chunky56> I want to make sure the command I run is correct--so if I have 3 devices currently connected (my new fourth hard drive is not plugged in yet), called /dev/sdb1, /dev/sdc1, /dev/sdd1 and my raid array is /dev/md127, then is the command i use 'sudo mdadm --assemble --force /dev/md127 /dev/sdb1 /dev/sdc1 /dev/sdd1'?
[06:06] <Chunky56> qman___, I tried to force assemble but it says 'mdadm: cannot open device /dev/sdb1: Device or resource busy'--does this mean I should stop the array first or something?
[06:07] <qman___> yes
[06:16] <Senor> iwlist wlan1  scanning, it output many IE:unknown ......
[06:16] <Senor> Is this output normal?
[06:17] <Chunky56> qman___, thank you so much--it's at least back to its degraded state!
[06:17] <sgrover> Need help.  12.04-lts server.  /boot filled up and an upgrade failed.  I've purged all older kernels.  apt-get -f install still fails with an unmet dependency for linux-image-3.2.0-41-generic-pae not being installed.  I can't get around this and am beginning to not trust a reboot...
[06:18] <sgrover> I've tried all the tricks mentioned here http://askubuntu.com/questions/296578/i-have-purged-the-current-kernel - but when they say to run the apt-get -f install command, it still fails for me.
[06:18] <sgrover> (that page is a decent summary of the tricks I've seen posted....)
[06:27] <sarnold> sgrover: compare your ls /boot  against  dpkg -l | grep linux-image  -- you'll need to make sure at least one kernel image is left in /boot and that specific package is still installed..
[06:28] <sgrover> I have linux-image-3.2.0-45-generic-pae (and related files) in /boot, and it is marked as "ii" in the dpkg -l.
[06:29] <sgrover> But there are others listed in the dpkg -l as well...  Do I need to purge those?
[06:29] <sgrover> er, others with ii
[06:29] <sarnold> sgrover: you ought to delete whichever ones no longer have corresponding kernels on disk
[06:31] <sgrover> except for the virutal one.. (linux-image-generic-pae) - working on it.
[06:33] <sgrover> k, I only have linux-image-3.2.0-45-generic-pae and linux-image-generic-pae listed in the dpkg -l, and only the -45 files in /boot.  the apt-get -f install still fails with "linux-image-generic-pae depends on linux-image-3.2.0-41-generic-pae"
[06:34] <sgrover> (btw, thanks for the suggestions sarnold!)
[06:41] <sarnold> sgrover: hrm. maybe.. delete linux-image-generic-pae as well, get the rest of your package database happy, then re-install linux-image-generic-pae after another apt-get update
[06:42] <sarnold> sgrover: (my 12.04 LTS schroot shows linux-image-generic-pae depends upon -45. I wonder why yours is -41...)
[06:43] <sgrover> guess I can't really hurt things worse... :)  was worried that purging the generic would make things unstable...
[06:43] <sarnold> hehe
[06:43] <sgrover> If worse comes to worse, I can recover the drive in other ways (new install/setup/etc... time consuming, but do-able...)
[06:45] <sgrover> hmm.. in the dpkg -l, it says right there that linux-image-generic-pae wants 3.2.0.41.49, whereas linux-image-3.2.0-45-generic-pae wants 3.2.0-45.70... you may be on to something...
[06:46] <sgrover> no joy.  it tries to re-add the linux-generic-pae package, but that is depending on 3.2.0.41.49.  And I just did an apt-get update...  I'll check for rogue repositories....
[06:52] <sarnold> sgrover: hrm.
[06:52] <sgrover> My sources.list file is the default, and my extra repositories is only the pitti-postgresql repo.  I've removed those for now.
[06:54] <sgrover> (the pitti files seem to be marked for "maverick", so could be referring to older packages even...)
[06:55] <sarnold> sgrover: aha, probably it would be worth to try to move those to precise
[06:55] <sarnold> sgrover: .. but they probably aren't involved
[06:56] <sgrover> shouldn't need them anymore - they were only so PostgreSQL 9.1 could be installed at the time...
[06:56] <sarnold> ah
[06:56] <sgrover> BUT, I *may* be fixed.
[06:57] <sgrover> linux-generic-pae was also depending on 3.2.0.41.49.  Purged that and the apt-get -f install *seems* to be working - not reporting the same error at least.
[06:57] <sgrover> now it is reporting that it is ignoring the 'pitti-posgresql' files in /etc/apt/sources.list.d  (I renamed em with a .bkup extension, so now apt doesn't know what to do with em.)
[06:58] <sgrover> I think I'm fixed.  apt-get upgrade is running now....
[07:05] <sarnold> sgrover: excellent!
[07:05] <sarnold> sgrover: now try adding back the linux-generic-pae once it's done, so you get upgrades in the future..
[07:05] <sgrover> done already.  And dpkg -l nicely reports it depends on -45.x now...
[07:06] <sgrover> Thanks bunches for the support/assistance/encouragement... :)
[07:08] <sarnold> sgrover: glad it worked out :)
[07:08] <sgrover> Oh and I'll need to make sure PostgreSQL will be handled properly without the PPAs.
[07:11] <sarnold> should be, pitti takes care of the package for the distribution as well :)
[07:12] <sgrover> yep, it looks like it's going to be fine without the PPAs, but I don't want to just toss em quite yet...
[07:14] <sgrover> sarnold: k. I'm calling it a night (1:13am here...).  Thanks again and have a great night/day!
[07:14] <sarnold> sgrover: thanks, goodnight
[07:54] <adam_g> jamespage, w00t both folsom and grizzly point releases got released to -updates. both CA -proposed pockets should be good to move to -updates
[08:00] <adam_g> jamespage, actually i lied, precise-folsom proposed keystone is lagging behind our last rebase: http://people.canonical.com/~agandelman/ca/folsom/keystone_2012.2.4-0ubuntu3/
[08:32] <jamespage> adam_g, yeah - but we have exactly the same code in the CA
[08:32] <jamespage> that last update just fixes a ftbfs
[08:32] <jamespage> adam_g, I'll process that today
[08:39] <abhi_> Hi there everyone. I recently got a pdf file with a cert file (PFX). I even got a "key" to open the "PFX file". I can successfully install the pfx file in MS Windows 7 and open the PDF file there. I am "super new" to Ubuntu. Can anyone please tell me how to install/import PFX into Ubuntu ? I am currently using Ubuntu 13.04. Please help...
[08:49] <rbasak> abhi_: sounds like you want #ubuntu for help, rather than this server-specific channel. Try there?
[09:10] <yolanda> hi, anyone knows about vgs command? which package provides it? i'm unable to find it
[09:11] <Enich> Hello Nagios guys, i am installing a Nagios3 server  on a ubuntu, it promts me for the Password for the NagiosAdmin when i install.  Would anyone know a clever way to install without promting for the password?  i was thinking either by defining it before installation in a variable of sorts, or installing it without a password and then doing a htpasswd -b nagiosadmin $password.   I am doing unattended installations (for non production educational environ
[09:11] <Enich> ments)
[09:11] <Enich> yolanda,  lvm2 ?
[09:12] <Enich> $vgs   tells me that you need to install lvm2
[09:12] <yolanda> damn, i tried "lvm" without the 2
[09:12] <rbasak> yolanda: it's lvm2
[09:12] <yolanda> thx
[09:12] <rbasak> yolanda: I used "apt-file find vgs" - it needs setting up first but is really helpful for this kind of query.
[09:12] <Enich> yolanda, if you fire up a command that isnt installed or isnt present, you will often be told which package it is part of :)
[09:12] <abhi_> I log into my ubuntu 13.04 and click on the PFX file. It (CERT_SYSTEM_STORE_CURRENT_USER_My_0_Pushpendra.pfx) says The contents of 'CERT_SYSTEM_STORE_CURRENT_USER_My_0_Pushpendra.pfx' are locked. In order to view the contents, enter the correct password.. I enter the password for the PFX key  and click "Ulock" . I dont have any idea as to what to do next. PLEASE HELP HELP HELP...
[09:13] <yolanda> yes, with apt-search i was unable to find it
[09:14] <Enich> Unattended Nagios3 installation anyone ?
[09:14] <rbasak> abhi_: did you see my message? If you're clicking on something, you're in the wrong channel. This is a server channel. Please go to #ubuntu for help with your desktop.
[09:31] <yolanda> jamespage, zul: https://code.launchpad.net/~yolanda.robla/cinder/havana/+merge/167726
[11:47] <Siebjee> Does any one has experianced performance differences with Ubutntu 12.04 LTS and Dell Poweredge M610
[12:13] <bicyus> op... op... op... op-op!
[13:06] <linocisco> hi
[13:26] <yolanda> jamespage, zul, i'm working on squid3 tests. I have a problem, that the squid3 has been converted to upstart. And now i have to use the start/stop squid3 commands. But a stop without any started process gives error. What should be the better way to only stop the service if it was running? Checking with a pidof?
[13:27] <zul> yes
[14:26] <sarthor> Need help. when I send print to my printer,the error logs say,  +0300] Unable to encrypt connection from localhost - An unexpected TLS packet was received
[14:41] <codepython777> update-rc.d nginx defaults —> Tells me —> System start/stop links for /etc/init.d/nginx already exists —> But nginx does not start at boot
[14:50] <codepython777> anyone running nginx ?
[15:09] <tohuw> codepython777: If you don't get a response for some time, try repeating your question rather than asking an "anyone" question. Regarding your original question: is nginx trying to start? Anything in syslog or so?
[15:28] <codepython777> tohuw: nothing in syslog
[15:29] <codepython777> I added a separate line in /etc/rc.local that starts nginx now. Still have no clue why it wont start automatically
[15:31] <tohuw> codepython777: Are the links actually there in /etc/rcX.d (where x is the desired runlevel)?
[15:32] <tohuw> (see man update-rd.d for more about the links)
[15:37] <yolanda> zul, did you have a change to look at the kombu version bug?
[15:37] <zul> yolanda:  not yet im getting the builds working again and then will have a look
[15:38] <yolanda> great
[15:41] <codepython777> tohuw: in rc2.d -> lrwxrwxrwx  1 root root   15 2013-05-09 17:08 S20nginx -> ../init.d/nginx
[15:42] <tohuw> codepython777: you mentioned you dropped into rc.local, but can you verify /etc/init.d/nginx start works?
[15:43] <codepython777> it complains
[15:44] <tohuw> of?
[15:44] <codepython777>  * Starting nginx nginx                                                                                                                                                                                     nginx: invalid option: "/var/run/nginx.pid"
[15:45] <tohuw> Well, there's your problem. When nginx is running correctly, where does it maintain a pid file? Also, did nginx provide that init.d file?
[15:46] <codepython777> tohuw: i installed nginx and ran it
[15:46] <tohuw> Regardless, look at its content and decide why it is providing and invalid option
[15:46] <codepython777> i dont know where the default pid is supposed to be located
[15:47] <tohuw> Check what it does when running with strace or so. It sounds like there is a bug in the nginx package if the init.d script doesn't work out of the box. File a bug appropriately, which may give you some better insight.
[15:47] <tohuw> (as it is likely to be replied to with a correction or explanation)
[16:40] <phretor> I found this old bug ticket https://bugs.launchpad.net/ubuntu/+source/vm-builder/+bug/629242 about vmbuilder ignoring the --mac option - I still see the bug and I haven't found any workaround. Anyone?
[17:05] <codepython777> is there a backup tool on ubuntuserver that backs up a directory with data-deduplication?
[17:07] <sarnold> codepython777: rsnapshot can use hardlinks if files are -identical-
[17:07] <sarnold> codepython777: .. though, now that I say it, I'm not confident it _discovers_ the duplication if the files aren't already hardlinked. nevermind.
[17:08] <sarnold> codepython777: git has some kind of intelligence there, but it might also be magical
[17:09] <codepython777> ah that sucks- rsnapshot that is
[17:10] <codepython777> so no scripts for a backup that wont copy the same file twice?
[18:00] <zul> roaksoax:  https://code.launchpad.net/~zulcss/python-keystoneclient/test-fbtfs-drop/+merge/167822
[18:01] <roaksoax> zul: done
[18:01] <zul> roaksoax:  thank
[18:28] <zul> roaksoax:  https://code.launchpad.net/~zulcss/keystone/keystone-refresh-ftbfs/+merge/167825
[18:33] <sarnold> !eol
[18:38] <zul> adam_g:  ping can we push that cinder patch we are carrying upstream?
[18:38] <adam_g> zul, which?
[18:39] <zul> the paramiko patch
[18:39] <adam_g> zul, they set the version requirement, why would they revert it?
[18:39] <zul> so we dont have to carry it and rediff it but yeah
[18:40] <adam_g> zul, i assume the reasons it was set  are still valid. theres a new upstream paramiko package coming to debian soon, so we should be able to drop the patch when we sync that
[18:41] <zul> adam_g:  awesome
[18:54] <zul> roaksoax:  last one https://code.launchpad.net/~zulcss/cinder/refresh-ftbfs/+merge/167831
[19:35] <zul> roaksoax:  hey did you +1 my cinder branch?
[20:12] <LinuxAdmin> hi guys
[20:13] <LinuxAdmin> i need your help with grub on ubuntu server 12.04
[20:14] <LinuxAdmin> I'm trying to install ubuntu with raid1 but after installation i reboot and get grub rescue prompt
[20:14] <LinuxAdmin> software raid, i mean
[20:15] <LinuxAdmin> after this I tried to restore grub, with a live cd but had no result
[20:16] <LinuxAdmin> I reinstalled ubuntu from scratch and the same thing happened once again
[20:17] <LinuxAdmin> I tried installation with a dedicated partition for /boot, without raid, but get the same result
[20:18] <LinuxAdmin> what is happening with ubuntu? I've already did the same setup in the past and I didn't get this problems
[20:18] <LinuxAdmin> I tried supergrubdisk, but couldn't solve my problem
[20:19] <LinuxAdmin> can some one give me some ideas, I'm really considering change to another distro, this is not acceptable with a server version
[20:20] <LinuxAdmin> I loved ubuntu and I've got several ubuntu boxes running on my company, but now I'm really desapointed
[20:21] <LinuxAdmin> disappointed
[20:21] <LinuxAdmin> can some on help?
[20:33] <LinuxAdmin> can someone help with my issue?
[20:38] <SpamapS> LinuxAdmin: help in here is usually a bit slow
[20:38] <SpamapS> LinuxAdmin: give it some tieme
[20:39] <SpamapS> LinuxAdmin: as far as your error with raid1.. can you take a picture of the error you get?
[20:39] <SpamapS> LinuxAdmin: software raid, unfortunately, is really broken in Ubuntu and needs some love. :-/
[20:40] <LinuxAdmin> SpamapS: I get grub prompt after reboot, is everything I get
[20:40] <henkjan> SpamapS: mdadm software raid is not usable in ubuntu?
[20:41] <LinuxAdmin> SpamapS: do Debian suffer from the same problem?
[20:41] <SpamapS> henkjan: it is usable, but it breaks boot sometimes. :-/
[20:41] <SpamapS> no
[20:41] <SpamapS> debian fixed all of this
[20:41] <SpamapS> but for years Ubuntu diverged from Debian
[20:41] <SpamapS> And thus far, nobody has really had time to reconcile.
[20:41] <henkjan> SpamapS: i use it on lots of serveers
[20:41] <SpamapS> I tried a little bit
[20:42] <henkjan> the only issue i see sometimes on lucid based servers
[20:42] <LinuxAdmin> I'm really thinking about move to another distro because of this
[20:42] <henkjan> with sw raid 10
[20:42] <SpamapS> henkjan: it works ok for most use cases, but it often detects a broken RAID and fails when it could just recover.
[20:42] <LinuxAdmin> Debian is a good choice because it's the same of ubuntu
[20:42] <henkjan> the raidset doesnt get assembled quick enough
[20:42] <SpamapS> LinuxAdmin: grub prompt, or initrd prompt?
[20:42] <SpamapS> LinuxAdmin: Debian is not the same as Ubuntu
[20:42] <henkjan> and you'll get dropped in initramfs
[20:43] <SpamapS> LinuxAdmin: Debian has only one supported release at a time (stable).
[20:43] <LinuxAdmin> SpamapS: grub prompt
[20:43] <henkjan> powercycle helps in most of the cases
[20:44] <LinuxAdmin> I loved ubuntu server and I thought that because ubuntu has Canonical on behalf, it should be more stable and didn't suffer for problems like this
[20:44] <LinuxAdmin> I'm really disappointed with ubuntu
[20:45] <LinuxAdmin> I've got some friend that are always saying to me that if I want to sleep well I should use Debian, now I'm starting to give them all the reason
[20:46] <jcastro> SpamapS: I thought we resolved the mdadm problem in the point release?
[20:46] <SpamapS> jcastro: we resolved many problems
[20:47] <SpamapS> https://bugs.launchpad.net/ubuntu/+source/mdadm
[20:47] <SpamapS> shows 55 untriaged bugs, 5 High importance.. and lots of WTF's
[20:47] <SpamapS> there's also a lot of _RAGE_ in that page
[20:48] <jcastro> I share the rage, I won't touch mdadm anymore. :)
[20:51] <SpamapS> I'm kind of surprised no concerned community person has stepped up to fix it
[20:51] <SpamapS> Every once in a while a Canonical employee wades in but then the rage starts up again and they run away screaming.
[20:53] <jcastro> I am spent from the maas SRU
[20:53] <jcastro> but I suppose I could bring it up on the list
[20:53] <SpamapS> With raid controllers costing $100 .. I'm kind of meh on the whole idea.
[20:54] <SpamapS> All of the reasons to use software raid are to save nickels and dimes.
[20:54] <ScottK> http://netsplit.com/2012/10/30/goodbye-ubuntu/
[20:54] <jcastro> I am pretty much a fan of RAID built into the FS, but asking people to use btrfs is probably a bridge too far
[20:59] <SpamapS> jcastro: I feel like btrfs is slipping away. :-/
[20:59] <SpamapS> it has no champion
[21:01] <SpamapS> ScottK: yeah, thats one way to go.
[21:01] <SpamapS> Another is to go buy a $100 3ware SATA raid card, and have better performance. But who wants that? :-P
[21:01]  * SpamapS goes afk
[21:06] <soy_el_pulpo> be aware that some cards are like the old "winmodems", they only provide Win drivers...
[21:07] <maswan> SpamapS: It is far from true that that's all the reasons, there are a few more. Like freedom of having a documented on-disk format with free implementations, being able to read your data from another host when the raidcard breaks, etc.
[21:08] <maswan> SpamapS: Oh, and performance too. For a fair chunk of cases, MD performs better than most HW raid cards. Depends on your workload.
[21:09] <roaksoax> zul: sorry was caught up with some maas work
[21:09] <roaksoax> zul: cinder approved
[21:09] <zul> roaksoax:  thanks
[21:10] <maswan> SpamapS: And as a third point, a $100 raid card would add about 20% to the cost of a server.
[21:11] <maswan> I honestly don't have a good plan for what to do with my server once lucid starts nearing EOL in a couple of years.
[21:12] <maswan> Probably either ZFS on Ubuntu, or switching to Debian for software raid.
[21:13] <maswan> Would kind of suck though, since work is all Ubuntu all day long since breezy
[21:28] <oblivian> An arbitrary header info look up on misc web server that leaped to mind shows that 9/10 servers "leak" system info. Server brand, major and minor release, x-powered by and system it's running on, mostly Ubuntu and CentOS. I thought "best practice" is to hide that kind of information?!
[21:29] <ScottK> Not really.
[21:29] <ScottK> There are enough other ways to tell that for someone dedicated to finding out it's not hard and it doesn't really add to security anyway.
[21:30] <oblivian> Well, from the fact that one server was running Apache2 2.2.14 (Ubuntu) I guickly found out that the system is running Ubuntu 10.04.
[21:30] <SpamapS> maswan: you could invest time in mdadm...
[21:30] <ScottK> Sure.
[21:30] <SpamapS> maswan: or even pay a consultant to fix it.
[21:30] <SpamapS> maswan: boggles my mind that people get mad at a free distro for breaking things. :-P
[21:31] <oblivian> And since I know it is running 10.04 I can find out what version of MySQL is running, at least most likely.
[21:33] <oblivian> So you are saying there's ways to tell what system you are running on, major and minor versions? I.e. Nessus, etc?
[21:33] <ScottK> oblivian: That's all true, but ultimately, "meh".
[21:36] <oblivian> But most attacks these days starts with robots scanning the net for info like that. If you are looking to exploit vuln a found in version x.x.x of server x, you have saved some ppl alot of work.
[21:37] <SpamapS> oblivian: what you're talking about is hardening. There are plenty of strategies for stopping information leakage.
[21:37] <ScottK> Yes, but since we backport security patches and don't bump upstream version numbers as a rule the version string tells you less than you think it would.
[21:37] <maswan> SpamapS: I'm not mad, I'm disappointed though, because I expected better.
[21:38] <SpamapS> maswan: from who?
[21:38] <maswan> SpamapS: From Ubuntu as a project.
[21:38] <SpamapS> maswan: Canonical takes care of Ubuntu, and mdadm is just lower in priority than, say, OpenStack or good EC2 images. Just a fact of life. :-P
[21:38] <SpamapS> maswan: Ubuntu is all of us. So be disappointed in yourself first. :)
[21:40] <oblivian> SkottK: Yes, but I don't think it is "good practice" to show any visitor what versions your system is running on.
[21:40] <maswan> SpamapS: Yeah, I can't fix everything though, and I prefer to spend the time I have for things on the parts where I am most useful.
[21:41] <maswan> SpamapS: But yes, I include myself in that community
[21:41] <maswan> SpamapS: And it is too bad so much time gets eaten by things that are useless to me, like openstack and ec2, compared to proper useful things like mdadm :)
[21:43] <ScottK> oblivian: There are fingerprinting techniques out there that make it essentially impossible to hide it, so if you think you're hiding anything, you're fooling yourself.
[21:44] <ScottK> SpamapS: There are quite a few people that find Canonical's abandonment of servers troubling.  Quite reasonably so, IMO.
[21:45] <maswan> Of course, if I get the impression that noone cares about ubuntu servers anymore, maybe my time is better spent brushing up on my Debian
[21:45] <oblivian> SkottK: Sure, if it is a targeted attack yes. I stil don't see why I shouldn't hide most system info. It takes 30 seconds.
[21:46] <oblivian> SkottK: - Canonical's abandonment of servers troubling. What?!?!?!?
[21:47] <ScottK> If it's not cloud, they don't really care.
[21:48] <ScottK> By servers, I mean the things that people traditionally think of when you think of a server.
[21:48] <ScottK> It's directly related to the mdadm question (see Scott Remnant's blog post).
[21:48] <oblivian> Is Canonical abandoning servers?
[21:48] <maswan> not formally, just not spending any effort on supporting them
[21:50] <oblivian> Do you have a link to Scott Remnant's blog?
[21:54] <ScottK> http://netsplit.com/2012/10/30/goodbye-ubuntu/
[21:58] <oblivian> Thanks Scott, just read it.
[21:59] <oblivian> I am running Soft RAID on 12.04 just fine. Was it the upgrading that went bad?
[22:02] <oblivian> But I've ran into problems before when using disks w/o TLER.
[22:12] <oblivian> In fact, this weekend I am going to set up a Soft RAID10 w/ 4 4TB HDD for running BackUpPC. Been running BackUpPC on Ubuntu servers with Soft RAID for years w/o problems, what so ever. Hope I am not running into trouble now. Takes forever to stripe...
[22:14] <sarnold> oblivian: you may not want to .. RoyK's got a bug open about those not being detected / assembled at boot
[22:14] <sarnold> (nested raids, that is..)
[22:17] <oblivian> I am already running a RAID10 setup on Ubuntu 12.04. No problems there. It's 4 2TB HDD's though... But two years ago I had to scrap a setup since the disks didn't support TLER. Everey reboot degraded the RAID. And I was running RAID5, which I will never do again.
[22:17] <sarnold> hrm.
[22:20] <RoyK> sarnold: nested raids work on lucid, but not with presice
[22:20] <sarnold> RoyK: oblivian says he's got one that works..
[22:20] <RoyK> doubt it
[22:21] <RoyK> raid10 isn't nested raid
[22:21] <sarnold> it isn't?
[22:21] <RoyK> no, it's a raid level
[22:22] <oblivian> Yes, running RAID10. Standard, not nested.
[22:22] <sarnold> .. and it's implemented somehow differently than 1 on top of 0?..
[22:22] <RoyK> sarnold: the problem is nesting
[22:23] <oblivian> Nested is mixing RAID levels, isn't it?
[22:23] <RoyK> oblivian: nesting is like putting raid-0 on top of raid-5 sets
[22:23] <RoyK> or other mixtures
[22:24] <RoyK> raid10 is just another raid level (badly written)
[22:24] <oblivian> OK, running RAID 0 on top of RAID5 is nested RAID?
[22:24] <RoyK> yes
[22:24] <RoyK> or mirroring raid-5 sets
[22:24] <RoyK> or whatever
[22:25] <sarnold> RoyK: heh, I alwaysthought 10 was implemented by simply nesting. why re-write when you could re-use..?
[22:25] <RoyK> raid-upon-raid is nesting
[22:25] <sarnold> sigh
[22:26] <oblivian> But why would you want to nest? RAID10 is the best of both worlds, redundancy and speed. :)
[22:26] <RoyK> sarnold: it should have been - if the developers did it the way I think is right, but then, I may be wrong :P
[22:27] <RoyK> oblivian: no, it doesn't have the flexibility of other levels
[22:27] <RoyK> oblivian: you can't grow a raid10
[22:30] <oblivian> OK, for me that's not an issue, luckily. But the blog didn't seem to be related to nested RAID, was it?
[22:31] <oblivian> The one Scott refered to...
[22:31] <sarnold> oblivian: if it did, he didn't say..
[22:33] <oblivian> But what nested configs are we talking about?
[22:35] <oblivian> JBOD+0?
[22:35] <sarnold> oblivian: in RoyK's case, 5+0: https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/1171945
[22:39] <mdeslaur> oblivian: hiding the server banner is security by obscurity...you don't need to know the version to run your exploit on it...worst case, it doesn't work
[22:39] <mdeslaur> oblivian: the practical side to having the banner is you can now get audited properly and know if some of your infrastructure is out of date
[22:40] <oblivian> sarnold: Hmm, from the comments it seems a lot of users has problems with normal RAID levels too
[22:40] <mdeslaur> oblivian: so having a banner actually improves security
[22:40] <mdeslaur> software raid is only currently broken for some configurations, a lot of people run it properly
[22:40] <mdeslaur> one of the scenarios that is broken is having drives on different types of controllers I believe
[22:40] <mdeslaur> the userbase for software raid is quite limited
[22:41] <mdeslaur> in fact, nobody has stepped up to fix it
[22:41] <mdeslaur> or even open a support case with canonical I assume
[22:41] <mdeslaur> it's mostly used by home users, or very small businesses with small servers
[22:42] <oblivian> Hmm, we are the exception then. :)
[22:42] <mdeslaur> oblivian: yes, you are
[22:43] <oblivian> Weird.
[22:44] <mdeslaur> oblivian: what kind of servers are you running? even the small dell, hp, and ibm servers are available with hardware raid...
[22:45] <kees> mdeslaur: under what conditions is md broken?
[22:45] <oblivian> Yes, our "main" servers are running HW RAID. It's Dell servers actually. But the backup servers and file servers are Ubuntu 12.04 with Soft RAID10.
[22:45] <mdeslaur> kees: I don't exactly know, I haven't seen it myself...did you see keybuk's rant?
[22:46] <mdeslaur> kees: I've seen bug reports about raid trying to come up when some of the disks on a different controller aren't ready yet
[22:46] <mdeslaur> kees: but I don't know how to reproduce it reliably
[22:46] <mdeslaur> (well, I don't have the hardware to try, anyway)
[22:47] <sarnold> kees: RoyK reports any nested configuration is broken in precise and newer
[22:49] <oblivian> mdeslaur: so you are saying it is more secure to expose your system info than not? (server banner).
[22:55] <mdeslaur> oblivian: hiding your server banner doesn't prevent an exploit from working on your server
[22:56] <mdeslaur> oblivian: all it does is prevent a security scanner from seeing what versions are installed
[22:57] <mdeslaur> the question is debatable, but hiding your banner isn't likely to affect your security
[22:57] <mdeslaur> it's a matter of preference
[22:58] <mdeslaur> especially since we don't put exact package versions in the banner
[23:00] <oblivian> mdslaur: OK, I see your point. But I disagree. You are in control of your audits, so when scanning using i.e. Nessus or other enable server banners temporarily. And you underestimate security by obscurity. It is a well founded "securoty mechanism". It is a problem if you only base your security on obscurity of course.
[23:02] <lifeless> oblivian: well founded? !cite please
[23:02] <oblivian> mdslaur: security by obscurity = on a need to know basis.