mgwIs there a way for a kvm instance to access its uuid or id?00:17
thinknowhow to setup shell acounts(are putting together an botnet) on my ubuntu 12.10 server ? (-just installed it, regular installation with lvm encryption though)00:19
adam_gzul, no, thats just the src package00:34
zuladam_g:  k00:34
twbdebsecan "works" on Ubuntu, but it gives false positives for fixes in the M of -NubuntuM.01:01
twbIs there something like debsecan, that talks to launchpad?01:01
twbPlan B is to get my PFY to check, \forall CVEs debsecan reports, does /usr/share/doc/foo mention it (and if so, take no action).01:02
gartralhey all, I hosed grub on my server and need to recover, I've managed to boot the system, but I need a perma-fix01:45
codepython777Is there a faster way than this : ping -n 1 -w 100 IP4v  : For knowing if my server is up?02:13
twbITYM -c102:17
twbBut not really.  You might want nagios or nmap or something.02:18
codepython777twb: -c is not there on my ping for some reason02:24
codepython777also, ping seems to be unreliable for detecting a machine is up or not...sometimes -c 1 does not work?02:24
Patrickdkdefine, faster02:30
Patrickdkcause what your specified I would not consider fast at all02:30
PiciI vaugely remember there being a netcat argument that could quickly tell if a target was up or not.02:30
Patrickdkand if your ping doesn't have -c, your not using ubuntu02:30
twbPici: well if you're testing e.g. for ssh, you can nc example.net ssh, with a timeout02:31
roasted_hello friends02:50
=== roasted_ is now known as roasted
roastedis there a way to cron rsync to run every 5 minutes without having 6,000 entries in crontab?02:50
Patrickdkyou did read the cron manual right?02:54
Patrickdksecond thing, you won't want to put rsync in cron anyways, cause then you could startup two copies of rsync, and well, rsync doesn't like that02:55
mardraumman 5 crontab is all you need02:55
roasteda few times. evidently I missed something.02:55
Patrickdk*/5 * * * *02:55
roastedPatrickdk: have you ever used lsyncd? I might look into that instead.02:55
Patrickdkpersonally, I use bash02:55
roastedbash, as an alternative to lsyncd?02:56
Patrickdkto wrap rsync02:56
Patrickdkor perl02:56
roastedI understand lsyncd watches for file system changes and rsyncs the data accordingly.02:56
roastedI thought that would be kind of neato, but I'm not sure what kind of cons that setup would come with.02:56
Patrickdkwhy would it use cron?03:00
roastedlsyncd wouldn't use cron03:01
roastedI was looking into a continual rsync and came across lsyncd just a minute ago03:02
=== DaIRCKing is now known as GTAXL
twbPatrickdk: you could wrap rsync with lockfile-progs, though running it every five minutes is a bit excessive03:19
PatrickdkI used to run it every 20seconds :)03:28
Patrickdkover a 8gig maildir03:29
twbI guess you had enough RAM to cache all the dirents03:29
Patrickdkthat first rsync would take a good 3min or so03:29
twbBut at that point I would instead just use a while :; do rsync ...; done loop or something, rather than cron jobs03:30
twbOr for maildir specifically, something maildiry like offlineimap03:30
Patrickdkwell, this was just a loop like that yes, with a 20sec sleep03:30
Patrickdkwell, offlineimap wouldn't work03:30
Patrickdkit wasn't clean enough03:30
Patrickdkthis was my first attempt, and it worked well for several years03:30
Patrickdkmulti-master mailservers in multible datacenters03:31
twbWhat do you do now, drbd?03:31
twbOr some magic in dovecot03:31
Patrickdkwell, I would use dsync if I cared03:32
Patrickdkbut the internet has been much better than it was back then03:32
Patrickdkback them, I would constantly randomly loose routing paths to one or another dc03:32
Patrickdklocal isp's fault03:32
twbswap in a new ISP03:32
twb...with prejudice03:33
Patrickdkwasn't an option03:33
Patrickdkwhen you can only pick from 203:33
Patrickdkand the other was 30x the price, much more than they where willing to pay03:33
twbWe still had a quarter of our /24 reserved for staff dial-in pstn modems, until like 200803:33
Patrickdkservers in two other dc's where not even 1/3 that price03:33
twbmaybe 2010 even... whenever I took over03:34
twbThat is, staff connecting directly to us because ISPs didn't exist yet03:34
roastedlsyncd is proving to be a headache.03:39
roastedI somehow made it work from laptop to server, but the goal is to go from server 1 to server 2. It keeps failing saying the host verification key failed, yet regular rsync works without keys since SSH keys are set up.03:39
twbroasted: running it as different users?04:10
roastedtried my regular user and root04:10
twbhost verification failure is usually a result of known_hosts having different data in it, or running in -oBatchMode=yes and not having the existing entry04:10
roastedif I run rsync manually it works fine04:10
roastedif I let lsyncd do it, it tanks04:10
twbI dunno about lsyncd, sorry.04:11
roastedI'm looking at the log file pulling my ahir out because it looks perfect04:11
twbBut maybe lsyncd can't access your ssh agent?04:11
roastedI suppose. I'm not sure.04:11
twbIs it using passphraseless SSH keys for auth?04:12
twbAlso run it with LC_ALL=C and tell me the exact error message04:12
roastedI have ssh keys set up. I have no idea if it's seeing it properly.04:16
roastedfor now I just set up rsync to run.04:16
twbAre the passphraseless?04:16
roastedprobably not a good idea for me to troubleshoot half lit up and tired as can be. :P04:16
roastedwell, when I ssh to the server I get no PW prompt, so yea.04:16
codepython777curl -k -X HEAD -i https://website -- hangs after printing the head- any ideas why?04:26
=== thumper is now known as Guest68473
=== lau is now known as Guest1831
=== ffio is now known as Guest45788
=== Tm_T is now known as Guest51964
=== shirgall is now known as Guest42483
=== Guest1831 is now known as 21WAA4HKQ
=== Ursinha is now known as Guest36665
=== Nigel_ is now known as G
=== Guest68473 is now known as thumper
=== thumper is now known as Guest83673
codepython777how do i measure the total number of bytes sent/received by a particular command?04:33
=== _thumper_ is now known as thumper
=== gartral|away is now known as gartral
=== moonligh- is now known as moonlight
=== ivoks_ is now known as ivoks
=== _KaszpiR__ is now known as _KaszpiR_
=== acidflash__ is now known as acidflash
jamespagesmb: looking at iscsitarget right now08:00
=== klaas_ is now known as klaas
jamespageDaviey, everything is built in havana-proposed now08:12
jamespageshall I promote to updates?08:12
=== acidflash__ is now known as acidflash
=== smb` is now known as smb
=== tsimpson_ is now known as tsimpson
sanderj_What do I do when fsck /dev/sdb1 returns only the version number. and when I go into the dir I get: ls: reading directory .: Input/output error08:26
apwsanderj_, i would look in dmesg and see if the drive is even present, also fsck on a mounted filesystem is a no-no unless it is r/o and even then not recommended08:28
=== ejv_ is now known as ejv
sanderj_apw, scsi0: ERROR on channel 0, id 1, lun 0, CDB: Read (10) 00 12 c1 ad 4f 00 00 08 00, Info fld=0x12c1cd8f, Current sdb: sense key Medium Error08:29
apwmedium error, this means physical issues08:29
sanderj_apw, ok, thanks.08:30
jamespageadam_g, what do you think about a feature for the nova-compute charm that allows you to suckup disks and mount them on /var/lib/nova/instances08:56
jamespageright now they always sit on the OS disk by default08:57
jamespagethis would allow extra disks in servers to provide ephemeral storage08:57
jamespagesmb, just uploaded a new version of iscsitarget - should be OK now08:57
jamespagewhen the patches landed upstream the whitespace/tabbing in the compat patches got fixed up08:58
smbjamespage, Ok, I will get it downloaded as soon as it shows up and make the machine that failed verify it08:58
jamespagesmb, I tested it on a 3.5 12.04 machine and it looks OK09:00
smbjamespage, ok, well the machine that exploded was a saucy one but just happened to get upgraded from 3.9 to 3.10 kernel at the same upgrade run09:01
smb(not that I can repeat that exactly)09:01
=== jibel_ is now known as jibel
=== virusuy is now known as Guest73883
=== virusuy is now known as Guest51645
=== henkjan_ is now known as henkjan
phretorhi, does this kernel build http://packages.ubuntu.com/precise/linux-image-server has the CONFIG_ROOT_NFS=y?10:06
zatrickyHi, all. I updated my personal server at home last night from 12.10 to 13.04 - the upgrade went smoothly except that the new kernel (3.8) doesn't finish booting. There are no clues given except for an error saying "Timed out", and "Dropping to a shell".10:27
zatrickyThe server runs off a 60GB Intel SSD with btrfs - which works without any issue with the previous kernel (3.5)10:28
zatrickyI've done a lot of googling but I'm not seeing much info relevant either to btrfs or simply "Timed out" in relation to the a boot process failure :-/10:29
foo357Hello. I've had some trouble with cron-anacron recently, I'm fairly new to it.11:39
=== funkyHat_ is now known as funkyHat
foo357However I think I've found the answer: http://askubuntu.com/questions/92322/time-of-execution-of-daily-anacron-job11:40
foo357the solution is to make cron start anacron every hour. But the suggested edits to the crontab file seems a bit flawed.11:42
foo35701 0    * * *   root start -q anacron || :11:43
foo357@hourly root start -q anacron || :11:43
foo357If I'm reading this correctly these two lines are equivalent and just uses a bit different syntax.11:43
foo357so only one of them would be needed really.11:44
foo357can anyone confirm if I'm right or wrong?11:44
zatrickyfoo357 - correct, seems a bit strange to have two entries that do the same thing at the same time11:45
foo357thanks for the response zatricky.11:51
=== huats_ is now known as huats
Teduardookay i've figured out that if i interrupt the boot process by holding shift and then select ubuntu advanced and then tell it to boot normally the console works13:28
sebrockI'm having trouble gettin L2TP tunnel to work with xl2tpd. It just sits there. No error messages, nothing. Can someone please help me?13:40
=== Guest79110 is now known as JanC
=== JanC is now known as Guest3754
=== Guest3754 is now known as JanC
=== Guest51964 is now known as Tm_T
=== Guest14422 is now known as remix_tj
=== Guest28536 is now known as ahasenack
=== wedgwood_ is now known as wedgwood
hallyn_stgraber: I'm going to have to have lxc-start check whether it is already in a subdir of /sys/fs/cgroup/$d/lxc/$container and do nothing if so15:24
hallyn_stgraber: it gets a bit hacky, but with new kernel restrictions it seems the only way to keep the mountcgroups hook usable15:25
hallyn_just fyi15:25
stgraberhallyn_: ok, does that mean that a nested container will essentially end up in the same cgroup as its parent (instead of its own sub-entry)?15:28
hallyn_it may be that doubly nested containers won't work any more - i haven't thought thruogh whether that's fixable yet15:29
resnoi have 2 vms behind a pfsense firewall, both configured the same. one can ping an ip the other cant... any suggestions?15:40
resnoboth ubuntu 10.0415:40
sindriOk, I'm still having problem running vsftpd on my server; getting "530 Non-anonymous sessions must use encryption." My config looks like this: http://paste.ubuntu.com/5846998/ and my user config like this: http://paste.ubuntu.com/5847003/ any help would be welcome. Thanks!15:41
Free99hey everyone. Trying to figure out how to use the "remember" option in PAM for the pam_unix.so module17:08
Free99there apparently used to be a package called "pam_pwhistory" but it doesn't exist any longer for 12.0417:08
=== Guest82953 is now known as Corey
Free99(shrug) ok then17:15
=== Guest14861 is now known as maxb
Vec_Hi. <- learning newbie. Just about to install LAMP-stack on my server. Should i also install a webbased adminpanel like cPanel or ISPConfig3, or simply take my time and config it through a ssh? - what are you guys' reccomendations?17:18
Vec_Basically at first i just want my box to serve webpages securly, then my goal is to host various java applets im programming for school.17:19
jpdsVec_: You're going to learn a lot more via SSH.17:19
PiciVec_: The only web-based front end that I personally find useful is phpmyadmin (or phppgadmin), anything else is probably overkill.17:19
sarnoldVec_: strongly recommend against web-based configuration panels. (a) they are very often used by hackers to gain access to systems, since their code quality is usually very poor (b) they get in the way of doing the configuration yourself -- it's like wearing boxing gloves with everything you do. I dislike them. Intensely. :)17:19
jpdssarnold: Including boxing?17:20
Vec_Ok, well im settled then. SSH it is.17:20
PiciAlso, I usually leave them disabled unless I'm actively working with them.17:20
Vec_jpds: lol17:20
sarnoldjpds: lol :)17:20
Vec_Tbh i've gotten really far in 1 week. From 0% knowledge of linux to now having a server sharing files, running automated backup, sharing a printer -- all configured as restrictive as my brain find logical and whatnot HOWTOs and ubuntu docs tell me17:21
Vec_Its really really fun ^^17:21
maxbThe other *massively* useful thing about doing configuration in textual configuration files is that you can put them under version control, and have an audit trail, notes about why you changed things, and a way to roll back when things go wrong17:21
sarnoldVec_: cool :) I'm glad it's fun :)17:22
Vec_maxb: That sounds like something i should google.. not sure if i can handle the added complexity of learning version control (however that works) together with configing the LAMP stuff17:22
jpdsVec_: sudo apt-get install etckeeper17:22
jpdsVec_: https://help.ubuntu.com/12.04/serverguide/etckeeper.html17:23
enragedmaxb: I just joined in the middle of this conversation, but if I launch a GUI program that makes modifications to a config file, doesn't the user who launched the GUI program be recorded as the person who edited the text file, just as if they'd done it with a standard text editor?17:24
Vec_jpds: "By default, etckeeper will commit uncommitted changes made to /etc daily" what exactly does this mean?17:24
maxbThe context of the conversation involved ssh vs. web admin tools17:24
enragedAh ok17:25
enragedI apologize17:25
jpdsVec_: It'll do a daily commit of changes on its own.17:25
enragedIf we're discussing SSH atm in here, is there anyone using Ubuntu 10.04 that has managed to get multi factor authentication working with OpenSSH?17:25
Vec_Please define commit. Also, if i make changes to a config file in /etc then i save it staight away (pretty sure im missing the target at this point? :p)17:25
enragedI'm specifically involving ssh keys here17:26
enragedAn important detail missed out.17:26
jpdsenraged: I always use SSH keys, everywhere.17:26
jpdsVec_: Commited into the version control.17:26
Vec_jpds: As in logged? (will continiue to read now..)17:26
thinknoweasiest app to make an shell account on my server?17:26
jpdsVec_: If you just save the file, the change isn't yet in the version control system until you commit it into it.17:26
enragedjpds: Do you use mfa aswell?17:26
jpdsenraged: No.17:26
enragedjpds: Aw damn.17:27
sarnoldthinknow: adduser(8)17:27
Vec_jpds: Ah ok, so if i change stuff, notice i fubar'd it, then i can roll it back before its committed?17:27
jpdsVec_: Yes, and even after it's commited.17:27
Vec_well that sounds very nice17:27
thinknowsarnold, but i mean shell account so i can add process like irc17:27
thinknowdont remember the name17:28
enragedjpds: I've been trying to get totp codes to be required as a secondary authentication method to an ssh key, but as far as I can tell PAM is required to do that and when you use an SSH key it bypasses PAM17:28
jpdsenraged: If they steal your private SSH key, you have other issues.17:28
enragedjpds: Yeah, my concern is the laptop I use to remotely admin being hacked, the private key file being stolen and the laptop being keylogged so they know the passphrase to decrypt the file.17:29
enragedjpds: So yeah, totp codes generated by a phone or something else as secondary authentication, because they'd then need to hack the phone aswell17:29
jpdsenraged: Welcome to the world of paranoia. Encrypt your /home directory on the laptop.17:30
enragedjpds: Oh man! I wish I could, but the circumstances I'm in, the laptop is Windows 7.17:30
sarnoldenraged: see if this helps: https://www.duosecurity.com/docs/duounix17:30
enragedjpds: So yeah, now you understand why I'm so nervous XD17:30
Free99anyone know how I can enable the "remember" option in PAM?17:30
enragedsarnold: Thanks. I remember annoying you about this a while back.17:30
Free99I'm not clear on how to do it17:30
sarnoldenraged: yes, and I remember being very annoyed that I didn't completely understand opeenshd at the time :)17:31
enragedsarnold: No problem man; It's what, a month later, and I still haven't figured this one out.17:31
jpdsenraged: You can still encrypt things on Windows (truecrypt and co.).17:32
enragedjpds: Oh yes, but the private key file is stored on a usb stick anyways seperate from the laptop.17:32
sarnoldFree99: pam_cracklib's "similar" might do it?17:32
enragedjpds: So the win7 laptop itself isn't the concern, just a keylogger and filestealer being installed.17:32
=== Vec_ is now known as Vec_brb
sarnoldenraged: man :/ you think this would be easier..17:32
Free99enraged: what about using libpam-oath?17:33
enragedsarnold: I talked to the guy who wrote the sirc protocol yesterday and mentioned this to him. Didn't believe me so he logged onto his test server, spent 10 minutes playing arond and came back giving me a puzzled look.17:33
Free99sarnold, i'll take a look thanks17:33
sarnoldenraged: hahah :)17:34
sarnoldenraged: well, at least I'm not the only one then17:34
mgwI have a firstboot script in rc.local (I used vm-builder). How can that script cause a reboot?17:34
sarnoldthat makes me feel a touch better :)17:34
enragedfree99: Whole problem here is you can't use PAM17:34
sarnoldmgw: by calling /sbin/reboot ?17:34
mgwSimply rebooting aborts rc and the firstboot flag never gets set17:34
mgwso it repeats the reboot after every boot17:34
jpdsmgw: Nice.17:34
Free99but enraged, sshd authenticates against pam17:35
sarnoldah :) good luck ;)17:35
sarnoldFree99: only for passwords..17:35
mgwsarnold, jpds: I guess I can set the firstboot flag manually17:35
jpdsmgw: Store that you've firsted boot in a file and check if that file exists before you reboot?17:35
sarnoldFree99: if you use keys, it bypasses pam entirely :/17:35
enragedfree99: Only when you use passwords. When you use SSH keys, it bypasses PAM for auth, so you can't use any pam modules.17:35
enragedhum indeed17:36
mgwjpds: thanks, that's what the rc.local script does, but the firstboot.sh was exiting before it got there. SHould have it fixed now17:37
Free99enraged, would this help? think about the possibilities: http://jpmens.net/2006/03/02/ssh-public-keys-from-ldap/17:37
jpdsenraged: You could just set up a firewall so that the server only allows access to sshd from your IP address.17:38
Free99enraged, the idea isn't the LDAP part, its more the fact that the patch allows you to connect via ssh through seeing you have a user account via PAM, then checking the key against...well, whatever you want17:39
Free99could potentially be a file or a stupid script or w/e you want17:40
enragedI'll have to read more into this; it's the first time I've seen this post.17:40
jpdsenraged: LDAP doesn't slove your problem.17:41
enragedIt's close to a suggestion I recieved by the sounds of it, where we would have a key server that I logged into with a password and otp code, then from that key server, log onto the other servers17:41
enragedYeah, I'll have to read it more.17:42
enragedI've never heard of LDAP before.17:42
enragedHow bad is that?17:42
jpds"bad" ?17:42
enragedWell, OpenSSH is something every sysadmin show know about...17:42
Free99enraged: it's got a steep learning curve. it's the tech that microsoft borrowed to make active directory17:42
enragedBy comparison, LDAP is....?17:42
Free99basically a database of user accounts and stuff17:42
enragedhrm, ok17:43
Free99update in one place, updated everywhere17:43
enragedJust to be clear, purely focused on user management or is this just a general file syncing service?17:43
jpdsenraged: User management.17:44
jpdsenraged: But you can store other things in it.17:44
Free99enraged, what service provider do you have?17:44
Free99for your cell17:44
enragedBritish Telecom17:45
Free99enraged, do you know what BT's sms gateway is?17:48
enragedSorry, you've gone off on a tangent here; what are we/you trying to do?17:48
Free99enraged, if you want to replicate Google's OTP thing, I was thinking you'd have that pam plugin make the OTP and you can essentially "email it to your phone" via sms17:50
Free99in the US, if you want to send a text to your phone, depending on your service provider (mine is AT&T) you email "<phone number>@wap.att.net" and it shows up as a regular text17:51
sarnoldFree99: but PAM isn't available if you're doing ssh authorized_keys :/17:52
Free99sarnold, unless he uses that patch I just linked him17:52
sarnoldFree99: jpmen's ldap-thingy?17:52
Free99yeah. the LDAP is totally PAM-based17:52
sarnoldaha :)17:52
enragedFree99: Oh, I understand!17:52
enragedFree99: One second.17:53
Free99oh dang. the link to the patch is dead17:53
Free99oh wait! github to the rescue!17:54
enragedFree99: Ok, so at the moment, I have an app on my phone (Android) that produces the TOTP codes without contacting the server I'm connecting to. The problem is, how do I get the SSHd server to request the second authentication method, of the totp code, and then compare it against the PAM module which will confirm or declare false the code entered.17:55
jpdsFree99: You do realize using a hacked up version of OpenSSH like that is going to be a security nightmare in the long term?17:55
enragedFree99: The PAM module is supposed to initiate after a succesful password login that then waits for the user to enter the TOTP code before giving Shell17:55
enragedjpds: At the moment, this is more technical curiosity.17:56
enragedjpds: If it can just be done I'll be happy.17:56
Free99jpds, yeah.. I know. But how can I trust anyone tbh? Just because the repos are canonical maintained, doesn't mean they're always trustworthy. Even kernel.org... http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/17:56
jpdsFree99: No, I meant more like having to compile and update OpenSSH by hand every time an update comes out in precise-updates.17:57
=== Guest41538 is now known as mist
Free99jpds, perhaps enraged will become a repo contributor... that's how it starts right?17:58
enragedBWA HA HA17:58
Free99openssh-server-lpk? lol17:58
enragedFree99: I think you're overestimating my capabilities17:58
Free99enraged, that's on you bro haha17:59
Free99anyhow I'm enjoying my 5th of july off. Gonna hit the pool. see you guys! and good luck17:59
enragedSee ya man17:59
sarnoldenraged: the duo-security thing looks like an unfortunate hack the way it's implemented, but a pal who I trust uses it, so perhaps the caveats are worth it :)18:00
mgwFree99: upstream has AuthorizedKeysCommand directive for ssh18:00
enragedSarnold: Yeah I'll have to give it a proper look later.18:01
enragedI don't think Free99's ldap proporsal really solves the problem; it looks very similair to a certificate authority18:02
=== wizonesolutions_ is now known as wizonesolutions
sarnoldenraged: he is only suggesting it because it patches sshd to use the PAM stack before doing ssh keys18:04
sarnoldenraged: the ldap is just a side effect18:04
sarnold.. and probably one you can ignore18:04
enragedI think I'm starting to get a bit closer to fully understanding why he wanted to do this now then :p18:05
enragedI'll be reading through the duo security manual though before I decide which to try first18:06
sarnoldenraged: I'd also like to suggest against running a patched sshd :)18:07
sarnoldit's fragile code.18:07
sarnoldor, it has a long history of being fragile..18:08
enragedYeah, probably the main reason I am going to put my hope in your duo security suggestion...18:08
enragedIf this doesn't work, I'll come back and annoy you some more with the forcecommand issue...18:09
enragedSarnold: You have so much fun to look forward to!18:09
thinknowsomeone have an idea how to connect my server trough tor/vidalia ?18:20
thinknowi have tried some tutorials, but cant find any apps that make this job easy or stable18:21
sarnoldthinknow: I think what you're looking for is tor onion addresses. maybe ask in #tor on irc.oftc.net.18:22
thinknowok i will look it up:)18:23
thinknowthank you18:23
=== royk is now known as RoyK
=== RoyK is now known as rOYk
sandprickleI've been trying for hours to get Nginx+php fpm working to no avail. Precise. Nginx 1.4.1 from the Nginx repo. All other packages from ubuntu repos. What might I be missing?18:41
sarnoldsandprickle: anything in hte logs?18:42
sandprickleyeah: 2013/07/05 14:34:22 [crit] 25963#0: *1 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client:, server: localhost, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"18:43
sandpricklefile permissions?18:43
rOYksmells like PEBKAC18:47
sarnoldsandprickle: could be; what ar ethe permissions on /var/run/php5-fpm.sock? does the nginx process owner have privileges to talk with thatsocket?18:52
sandpricklewww-data owned /var/run/php5-fpm.sock; did chown nginx:www-data /var/run/php5-fpm.sock; now I get a different error..18:58
sarnoldyeah don't change the ownership of the socket... the fpm runner should own it, it provides the socket after all :)18:59
sandprickleYeah, that didn't work. added nginx to the www-data group. now getting this: 2013/07/05 15:01:15 [error] 26598#0: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client:, server: localhost, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"19:02
sarnoldTheLordOfTime: ^^^  :)19:02
* TheLordOfTime looks19:03
TheLordOfTimesarnold:  you did poke me at a bad time though19:03
* TheLordOfTime was beating an nginx FTBFS19:03
sarnoldTheLordOfTime: d'oh :)19:03
TheLordOfTimesandprickle:  pastebin your conf19:04
sandpricklesure thing19:04
sandprickleit's in multiple files... multiple pastes or just one (pastebin n00b)19:06
sandpricklenginx.conf: http://pastebin.com/9WCkccyt conf.d/dev.conf: http://pastebin.com/9SmR5Y9X fastcgi_params: http://pastebin.com/sTprY17D19:10
sandprickleTheLordOfTime: ^^19:10
=== blkperl_ is now known as blkperl
sandprickle/etc/php5/fpm/pool.d/www.conf: http://pastebin.com/PxVz0JUy /etc/php5/fpm/php.ini: http://pastebin.com/D3AjBb4L19:14
TheLordOfTimesanderj_:  sorry i'm like jugging a billion things19:24
* TheLordOfTime looks now19:24
TheLordOfTimesandprickle:  ^19:25
sandprickleno worries. #nginx woke up now anyway.19:26
TheLordOfTimesandprickle:  yes they did19:26
TheLordOfTimehaving said that i see a few pitfalls19:26
Vec_brbOn my apache server, i have java.html with 004 permissions. If the file is owned by root user and root group, i can view the file in my browser. If www-data group owns the file, i get permission denied. How come? o.O19:48
sarnoldVec_brb: permissions are checked in the order of user, group, world19:48
sarnoldVec_brb: when the web server owns the file, the first check finds '0', and returns forbidden19:49
Vec_brbOh, derp..19:50
Vec_brbIn other words, im denying the owner of content in displaying it to my browser?19:50
=== Vec_brb is now known as Vec_
Vec_Yeah, i could make www-data the owner group and give that group read permissions with everyone else at 0 and it works. I assume this is because its the www-data group that is because my user which is in www-data is responsible for serving the site19:53
sarnoldVec_: yes, and worse, if your web server is compromised, it'd be easy for the file permissions to be set back to allowing the server to write the file, and then changes be made ot your website content in a persistent fashion19:53
sarnoldVec_: web servers shouldn't own any of the content they serve -- their only write privileges should be their log files, database and fast-cgi-like sockets19:54
Vec_sarnold: Ok. So best practice is having no owners on the files with 004 permissions ?19:55
sarnoldVec_: well, make sure www-data doesn't own any more files than necessary; 004 is another matter (it's overkill, and perhaps counter-productive..)19:56
=== james_ is now known as Guest8292
Vec_There is only one user in www-data, me (the server superuser?), i don't see why it would be bad for effectivly me to own the files in my webdirectory.. I'm 100% new at this linux stuff, and i just installed LAMP so im kinda fumbeling atm >..<19:59
Vec_I mean, does it matter when i can control the permissions anyway. And if my user is compromised then im fubared anyway20:00
sarnoldVec_: on the one hand, you're right, if the servre gets compromised you're better off re-building from backups20:00
sarnoldVec_: but business demands sometimes means fixing the iimmediate problem and getting back to business while you rebuild a new machine20:01
Vec_sarnold: Thanks for making me understand what happened on my original question. Other than that i feel like you are replying with knowledge way outside my league at this point in time. Im just a random student who installed linux a week ago and now i have this awsome server up and running with some basic services like printersharing/filesharing/automated backup and now this LAMP server.20:03
Vec_I should probably just read a whole lot more HOWTOs and documentation instead of conversing in this channel on a level i dont yet fully comprehend ^^20:03
Vec_I was kinda apprehensive about installing LAMP tho as it exposes me so much (i assume) to the net.. Therefore i think i should read more to limit my exposure and get the permissions and fileownership right (and understand it too)20:04
sarnoldVec_: heh, fair enough, just mark down that you'll want to ask me about it again in another six months or osmething :)20:06
sarnoldI've got a nice rant written about it somewhere..20:06
uvirtbotVec_: Error: "-^" is not a valid command.20:07
Vec_Hm, i should probably only installed apache, considering i really just want to serve static pages with java applets i program for school20:08
=== rOYk is now known as RoyK
=== pgraner` is now known as pgraner
=== ppetraki_ is now known as ppetraki
=== Guest36200 is now known as jrgifford_
hallyn_stgraber: are you by any chance around with a few minutes to look at an ugly lxc patch?22:53
hallyn_(if so, http://people.canonical.com/~serge/0011-cgroup-hook-handle-stricter-kernel - else, i'll test some more and push to saucy and post to list)22:55
stgraberhallyn_: +INFO("XXX checking subsystem %s against string devices len %d", cg->subsystem, len);23:03
stgraberhallyn_: did you mean for those three INFO to stay there? the XXX looks like a temporary thing23:03
stgraberhallyn_: besides that, as ugly as it's, it looks fine23:05
hallyn_i kind of wonder if we went ahead and setup all the cgroups first, then ran hooks, then entered cgroup at very end, if that would be better overall23:08
hallyn_meanwhile upstream git has diverged there from saucy's pkg...  already split up the devices setup a bit23:08
hallyn_still, this is passing tests23:09
hallyn_stgraber: you've told me before, but can't find it in my irc logs -  were you planning on merging upstream git in july?23:10
hallyn_well really the clean solution will be "if you want nesting, use user namespaces and the cgroup management agent."  <shudder>23:13
stgraberhallyn_: I've been pretty busy with other things but I think we should try and get an alpha release done upstream in early August, then use that for saucy23:24
stgraberhallyn_: what we end up shipping with in saucy I don't really care much about, it's a non-LTS release with a 9 months support period, so as long as it's fairly recent and it works...23:25
hallyn_stgraber: sounds good.23:32
thinknowlol question, but command in ubuntu server for starting ftp host ?23:32
sarnoldthinknow: apt-get install vsftpd, edit the configuration as necessary, then 'service vsftpd start'   ought to do it23:35
thinknowok thnx23:36

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!