/srv/irclogs.ubuntu.com/2013/08/06/#ubuntu-server.txt

shawn1	Could anyone help me? I'm experiencing a problem similar to what is described here:	01:33
shawn1	http://lists.freebsd.org/pipermail/freebsd-questions/2004-September/058852.html	01:34
shawn1	But my ubuntu 12.04 LTS server doesn't seem to have an /etc/rc.conf file	01:34
shawn1	So I don't know where to implement the answer given in that article or even if that answer is relevant on my version of Ubuntu Server	01:34
sarnold	shawn1: you're getting "permission denied" when you're trying to ssh to a specific server?	01:36
shawn1	yes. Let me copy and paste my own outputs	01:36
shawn1	Shawns-MacBook-Pro:~ shawnshipley$ ssh -vvv 192.168.1.255	01:37
shawn1	OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011	01:37
shawn1	debug1: Reading configuration data /etc/ssh_config	01:37
shawn1	debug1: Applying options for *	01:37
shawn1	debug2: ssh_connect: needpriv 0	01:37
shawn1	debug1: Connecting to 192.168.1.255 [192.168.1.255] port 22.	01:37
shawn1	debug1: connect to address 192.168.1.255 port 22: Permission denied	01:37
shawn1	ssh: connect to host 192.168.1.255 port 22: Permission denied	01:37
sarnold	shawn1: I have a wild guess that your laptop and your server do not agree on netmask or their network address	01:38
shawn1	how can I fix that?	01:39
sarnold	shawn1: you'll have to find the correct settings to use, probably from your router, and then ensure that your server and your macbook both have the same settings for netmask, broadcast, and so forth	01:40
sarnold	shawn1: (the 'permission denied' here is probably because you're trying to ssh to a broadcast address, for a network 192.168.1.0 and netmask 255.255.255.0 (a /24))	01:40
sarnold	shawn1: if you manually assigned an IP address for your server, don't use .255. :)	01:41
shawn1	I didn't manually do that. Why would that present a problem, though? (just so that I understand for future reference).	01:42
sarnold	shawn1: normally the 'last' address in a network range is a broadcast address that can be used to contact all hosts in a subnet. but it only works with UDP and ICMP, not TCP, and it requires superuser privileges, and most hosts don't respond to broadcast ping requests any more anyway :(	01:43
sarnold	shawn1: so, if your network is 192.168.0.0 and the netmask is /16, the broadcast address would be 192.168.255.255; if the network is 192.168.0.0 and the netmask is /24, then the broadcast is 192.168.0.255.	01:44
shawn1	.255 is the global address, .5 is the local address, but it won't ping to .5	01:45
sarnold	shawn1: it's not always 255, that's just convenient with /8 or /16 or /24 netmasks -- but it does stand out clearly here :) hehe	01:45
shawn1	This is an odd question, but is your name Sarah Arnold?	01:45
sarnold	shawn1: indeed no, seth arnold. hehe. :)	01:46
shawn1	I know a Sarah Arnold, so I was just wondering	01:46
shawn1	My question: Do you know a way that I can completely reset the router?	01:47
shawn1	I configured it in windows and then later had to reinstall windows and it would only let me connect as a guest.	01:47
sarnold	shawn1: depends on the router. often holden the power button for twentyseconds or something will zero the memory.	01:47
shawn1	It'll completely reset everything and let me reconfigure?	01:47
ag763	Any ideas on why wlan0 wouldn't start on boot when configured in interfaces file but does with 'ifconfig wlan0 up'	01:50
sarnold	shawn1: quite often; it varies from vendor to vendor, but that's a good first shot. hehe. :)	01:50
sarnold	ag763: pastebin your interfaces?	01:51
ag7631	sarnold, http://pastebin.com/1CGSyeQK	01:55
sarnold	ag7631: do you need a module loaded first? maybe add the module name to /etc/modules?	01:57
sarnold	ag7631: hope that helps, it's time for me to bail :) have a good night, have fun	01:58
sarnold	shawn1: any luck with 20-seconds? :)	01:58
ag7631	sarnold, I would expect to see a dmesg or syslog error for that right?	01:58
sarnold	ag7631: hrm. dunno. seems plausible though :)	01:59
ag7631	sarnold, looking through both I don't see anything. I can start it right after booting without any issues, seeing nothing in dmesg or syslog I'm at a loss.	02:01
shawn1	Netgear can be frustrating....	02:04
shawn1	Okay. I think I found what I needed	02:04
=== Lcawte is now known as Lcawte\|Away
shawn1	the netmask address matches	02:16
shawn1	I was making a very dumb mistake!	02:18
shawn1	I was accidentally trying to ssh the broadcast address	02:18
shawn1	I'm connected remotely	02:19
shawn1	VICTORY!!	02:20
shawn1	(you can tell that I'm new at working with servers)	02:20
shawn1	Thanks, Sarnold	02:42
anepanaliptos	how do we ceck the health of a filesystem?	02:55
virusuy	anepanaliptos: fsck /filesystem	03:00
virusuy	a good practice is umount that filesystem first	03:00
virusuy	and you fsck the partition	03:00
anepanaliptos	what can do you do over ssh	03:00
anepanaliptos	?	03:00
anepanaliptos	is there anything just to show the health 'status' so to say?	03:00
virusuy	well, fsck is the most secure way to see if a filesystem is health or not	03:02
virusuy	do you have any kind of read/write errors or something?	03:02
anepanaliptos	well i just ran the server too many times on/off the harsh way	03:03
anepanaliptos	and i just want to make sure the disks are ok	03:03
virusuy	anepanaliptos: uhmm, fsck all th way	03:03
virusuy	but , yeah, its really importat unmount those filesystem first	03:04
anepanaliptos	yeah i once did it mounted	03:04
virusuy	and also there is a way to force fsck before boot in the next reboot / power on	03:04
anepanaliptos	made everything brand new	03:04
anepanaliptos	o yeah? how's that?	03:04
virusuy	uhmm .. i didn't recall, but let me search for you	03:04
anepanaliptos	oh no that's ok	03:04
anepanaliptos	ill rtfm	03:04
anepanaliptos	im not lazy, just unknowlegeable.	03:05
virusuy	http://linux.aldeby.org/post/linux-ubuntu-force-fsck-filesystem-check-at-reboot.html	03:05
virusuy	that web page was written in 2011, info could be old .. but i know there is a way to force that	03:05
LLckfan	I am trying to reconnect a blu-ray player to my router wirelessly and keep get dhcp cannot be acquired. Is there a way to fix this?	04:05
anepanaliptos	where is dhcp provided from?	04:08
LLckfan	I do not knwo	04:08
shawn1	can anyone help me?	05:04
shawn1	I set up port forwarding and made my server IP static in order to connect through SSH to my server over the internet.	05:05
shawn1	but I don't know what command to use from the client machine in order to access the server.	05:05
qman__	ssh	05:05
shawn1	well, yes	05:05
shawn1	but to I just ssh my server login name and external ip	05:06
qman__	yes	05:06
shawn1	or do I need to specify port 80	05:06
qman__	ssh youruser@1.2.3.4	05:06
qman__	absolutely not, port 80 is for http	05:06
shawn1	oh	05:06
shawn1	well that's the point	05:06
shawn1	I'm trying to connect over http	05:06
shawn1	maybe I stated that incorrectly, sorry	05:07
qman__	you can't ssh over http as far as I am aware	05:07
qman__	I don't know why you would want to	05:07
qman__	in fact, quite the opposite is a typical case, http tunneled over ssh	05:07
shawn1	well	05:08
shawn1	here's what I did	05:08
shawn1	in my router settings, I clicked on the 'port forwarding' option	05:08
qman__	if you want to SSH from the internet, you need to forward port 22	05:08
shawn1	okay	05:08
shawn1	let me change things here	05:09
qman__	and I suggest that you either install fail2ban or configure a limiting firewall to defend against brute force attacks	05:09
shawn1	well sweet	05:10
shawn1	that was easy	05:10
shawn1	okay.	05:10
indistylo	Folks, Having problem starting Jboss server, it says Jboss home pointing to different installation , Output can be seen in the URL( http://paste.ubuntu.com/5953884/ ) please suggest some solutions	05:10
shawn1	Thank you very much :)	05:10
indistylo	shawn1 Can you resolve my problem, any idea on Jboss server ?	05:18
indistylo	shawn1: Can you resolve my problem, any idea on Jboss server ?	05:18
indistylo	qman__: Can you suggest something about Jboss? any idea?	05:19
qman__	sorry, I don't know anything about it, I try to stay as far away from java as possible	05:23
shawn1	Sorry, indistylo	05:27
shawn1	I just got your messages	05:28
shawn1	and I'm one of those people who are on here for help	05:28
indistylo	Shawn1: No issues	05:28
shawn1	in questions related to server issues, qman_ will know much more than me :)	05:28
indistylo	shawn1: Its alright I am juggling with problem still, Ya i had already asked qman__ : waiting for his reply !	05:29
foo357	Hm, I want to change my home directory but usermod complains about me being logged in (which is true), but I am the single logon-user available on the machine...	05:39
anepanaliptos	foo357: root.	05:48
foo357	anepanaliptos: I connect to the machien through ssh and login with my account	05:50
foo357	anepanaliptos: I don't think it's possible to directly login as root that way	05:50
ScottK	Use sudo -i	05:53
indistylo	Folks, Eclipse not starting in ubuntu12.04, I installed in /usr/share/eclipse directory and created eclipsed.desktop but its not starting, Kindly suggest solutions	05:54
ScottK	Ask for help on #ubuntu since that's not a server issue.	06:05
ikonia	indistylo	06:50
ikonia	oops	06:50
shawn1	got it!	07:02
shawn1	thanks!	07:02
shawn1	=]=]	07:07
=== thumper is now known as thumper-afk
=== three18t- is now known as three18ti
_ruben	ugh .. why is Azure so limited .. they make it really hard to make linux clusters (no floating ips for HA services, etc)	08:43
_ruben	need to find something decent to replicate/sync my data between nodes somehow	08:44
=== smb` is now known as smb
=== Lcawte\|Away is now known as Lcawte
=== Jikan is now known as Jikai
=== Jikai is now known as Jikan
=== matanya_ is now known as matanya
geser	stgraber: Hi, can I ask you something about the isc-dhcp-server6 upstart job? I'm trying to figure out how to fix bug #1186662	11:37
uvirtbot	Launchpad bug 1186662 in isc-dhcp "isc-dhcp-server fails to renew lease file" [Undecided,Confirmed] https://launchpad.net/bugs/1186662	11:37
stgraber	geser: sure	11:38
stgraber	sounds like a regression that would have happened when we switched from our own privilege dropping code to upstream's --paranoia option	11:38
stgraber	it could be that in the past, dhcpd only dropped privileges after all the files were opened but now it happens a bit earlier, causing the -ENOPERM	11:39
geser	the lease file itself get updated, but it can't get rotated as dhcpd is running as dhcpd but everything is owned by root	11:40
geser	so no updates to leases~	11:40
stgraber	ah right, so we probably should just give the dhcpd user ownership of the dir and be done with it?	11:41
geser	almost, with chown dhcpd it gets a little bit farther till: dhcpd: Can't backup lease database /var/lib/dhcp/dhcpd6.leases to /var/lib/dhcp/dhcpd6.leases~: Operation not permitted	11:41
geser	the apparmor profile needs an update too: kernel: [2773234.120934] type=1702 audit(1375788247.840:13): op=linkat action=denied pid=31888 comm="dhcpd" path="/var/lib/dhcp/dhcpd6.leases" dev="dm-0" ino=2757	11:42
geser	do I need to specify that dhcpd can write (create new files) to /var/lib/dhcp into the apparmor profile?	11:44
stgraber	I'm surprised the existing apparmor rule doesn't cover that	11:46
geser	there is "/var/lib/dhcp/dhcpd{,6}.leases* lrw" but it seems it doesn't cover creating new files	11:48
geser	looking at the code, dhcpd removes the old leases~ and renames leases to leases~ before it creates a new leases to write into	11:49
BrixSat	Hello	11:51
BrixSat	i need some info, i have 200 servers under my management. Is there any way i can have a key management system, say i want one key to all servers and i dont want to ssh them manualy or in a script, since a server can be now offline and later online	11:52
BrixSat	i need to be able to generate keys and distribute them	11:52
geser	jdstrand: can you help me to understand why the dhcpd apparmor profile issue? I've in syslog: "dhcpd: Can't backup lease database /var/lib/dhcp/dhcpd6.le	12:10
geser	ases to /var/lib/dhcp/dhcpd6.leases~: Operation not permitted"	12:10
geser	and later "kernel: [2773234.120934] type=1702 audit(1375788247.840:13): op=linkat action=denied pid=31888 comm="dhcpd" path="/var/lib/dhcp/dhcpd6.leases" dev="dm-0" ino=2757	12:11
geser	isn't "/var/lib/dhcp/dhcpd{,6}.leases* lrw" enough to allow it?	12:11
jamespage	zul, bah - ordering of package build in havana-proposed is creating installability issues	12:14
zul	jamespage: like what?	12:16
jamespage	zul, "python-keystone : Depends: python-sqlalchemy (< 0.8) but 0.8.2-1~cloud0 is to be installed"	12:16
zul	jamespage: grr..	12:17
zul	jamespage: hmmmm	12:18
jamespage	zul, if I rebuilt it now against staging it gets the correct versioned depends	12:18
jdstrand	geser: what version of ubuntu are you seeing this?	12:18
zul	jamespage: right	12:18
zul	jamespage: so we need to rebuild things?	12:19
jamespage	zul, yeah - I'm just pushing stuff with a ~cloud1 with 'No change rebuild for new version of SQLAlchemy."	12:19
zul	jamespage: ack	12:20
zul	i just uploaded a new version of pbr for trunk packages (as of 5 minutes ago)	12:20
geser	jdstrand: ubuntu server 13.04	12:20
jamespage	zul, OK	12:22
jdstrand	geser: /var/lib/dhcp/dhcpd{,6}.leases* lrw is not in the 13.04 profile. did you add it yourself?	12:22
jdstrand	oh, dhcpd	12:22
jdstrand	hold on	12:22
StathisA	hello, i'm trying to get my head around Tar syntax...i got two folders.../mnt/source & /mnt/destination...how can i tar the contents of /mnt/source to a tar file in /mnt/destination without running the command from neither of them?	12:23
geser	jdstrand: for the background: I'm trying to fix #1186662, and got this far after changing the owner of /var/lib/dhcp to dhcpd so that dhcpd can write to it again	12:26
jdstrand	geser: see 'man apparmor.d'. do the source and target files meet the criteria for 'Link mode'?	12:29
jdstrand	geser: it isn't clear to me if the apparmor.d man page is talking about the apparmor permissions or the apparmor+DAC permissions	12:32
jdstrand	geser: I need to call in reinforcements	12:32
jdstrand	jjohansen: I'm not sure what is going on with geser ^ and his quest to fix bug #1186662	12:33
uvirtbot	Launchpad bug 1186662 in isc-dhcp "isc-dhcp-server fails to renew lease file" [Undecided,Confirmed] https://launchpad.net/bugs/1186662	12:33
jdstrand	jjohansen: backscroll 24 minutes from this timestamp	12:33
geser	jdstrand, jjohansen: does owner of the file matter when linking? dhcpd is run as dhcpd and dhcpd6.leases is owned by root currently	12:34
jdstrand	that's the bit I'm not sure of	12:34
jdstrand	I would think you would see a dac_override entry if that were the case	12:35
jdstrand	geser, jjohansen: I wonder if it has anything to do with 4.2.4-1ubuntu4 and bug #1028526	12:37
uvirtbot	Launchpad bug 1028526 in isc-dhcp "dhcpd failed to start with apparmor denied: capname="dac_override"" [High,Fix released] https://launchpad.net/bugs/1028526	12:37
Madkiss	roaksoax: y0.	12:47
hallyn	lifeless: are you still seeing the libvirt memory leak with virt-manager? I was running under valgrind to inspect... but now i can't reproduce it, even without valgrind	12:51
Madkiss	roaksoax: i have afresh pcmk 1.1.10+git here that fixes some nasty bugs.	12:57
=== p0wp0w_ is now known as p0wp0w
zul	jamespage: https://code.launchpad.net/~zulcss/cinder/babel/+merge/178747	13:20
zul	jamespage: ping i was thinking....shouldnt we building against the -proposed pocket in the openstack-ci lab since we would be catching stuff much sooner	13:24
zul	like the sqlalchemy stuff	13:25
roaksoax	Madkiss: perfect ill get that synced	13:51
Madkiss	roaksoax: where is your stuff?	14:05
hallyn	stgraber: http://people.canonical.com/~serge/lxc-resolve.debdiff	14:06
hallyn	biab	14:06
stgraber	hallyn: I think it's fine	14:08
Techdude1011	I am looking for suggestions for snmp trap software. Currently I am using snmptrapd but I would like to add interface descriptions from switches	14:14
roaksoax	Madkiss: ill put it in github in a bit	14:15
Madkiss	ok	14:19
hallyn	stgraber: cool	14:20
jamespage	zul, sorry - was OTP	14:27
jamespage	zul, thats a really good point	14:28
zul	jamespage: i could do that if you want	14:28
* jamespage thinks		14:28
zul	jamespage/roaksoax: https://code.launchpad.net/~zulcss/cinder/babel/+merge/178747	14:32
zul	jamespage: typo fixed	14:38
jamespage	zul, someone synced over your python3 changes in stevedore btw (might have been Daviey)	14:40
zul	jamespage: grrr...	14:40
* zul shakes his fist at Daviey		14:41
zul	jamespage: mind if i push this cinder branch i fixed the changelog entry	14:43
jamespage	zul, +1	14:43
zul	jamespage: thnak	14:44
zul	jamespage: the sqlalchemy fix we had in nova got merged fyi	14:46
jamespage	great	14:53
zul	jamespage/roaksoax: https://code.launchpad.net/~zulcss/keystone/oslo.sphinx/+merge/178778	14:59
zul	SpamapS: pinger	15:13
zul	jamespage: what did you do to fix the autopkgtests with nova?	15:15
smoser	mr hallyn	15:19
smoser	are you around sir ?	15:19
hallyn	smoser: yup	15:37
hallyn	[ERROR] ./stack.sh:698 nova-api did not start	15:37
hallyn	guess i'm really not meant to use this on saucy	15:37
smoser	i have 2 [recurring] lxc questions. a.) lxc-start-ephemeral minus the ephemeral . b.) lxc clone hooks.	15:38
smoser	hallyn, i dont know. i think i used it last on raring fairly painlessly.	15:38
smoser	i think my ud-devstack worked start to end last time i used it.	15:39
zul	jamespage/roaksoax: this is really needed to get python-pbr through: https://code.launchpad.net/~zulcss/heat/sqile-fix/+merge/178786	15:39
hallyn	smoser: what is ud-devstack?	15:40
hallyn	stgraber: this is great, and i can also resolve c1.lxc from c2.lxc from there. cool. pushing.	15:40
SpamapS	zul: pongitola	15:44
smoser	https://gist.github.com/smoser/4795358	15:45
zul	SpamapS: any idea when heat is going to switch over to neutronclient?	15:45
smoser	hallyn, ^	15:45
smoser	hallyn, see my questions above ?	15:45
smoser	i was poinged by juju team.	15:45
smoser	they're interetsed in clone being faser	15:45
smoser	and those are 2 things that they'd need.	15:45
* hallyn reading up		15:45
hallyn	smoser: what time, which chan?	15:46
SpamapS	zul: got a bug? I'll grab it and submit a patch now.	15:47
SpamapS	(or file the bug)	15:47
hallyn	oh i see. weird	15:48
hallyn	my eyees just totally glazed over that	15:48
smoser	hallyn, what?	15:49
smoser	oh.	15:49
smoser	questions above.	15:49
smoser	i have 2 [recurring] lxc questions. a.) lxc-start-ephemeral minus the ephemeral . b.) lxc clone hooks.	15:49
smoser	and ud-devstack is : launch instance with --user-data of that 'ud-devstack.yaml' and then wait.	15:49
zul	SpamapS: https://bugs.launchpad.net/heat/+bug/1197208	15:49
hallyn	smoser: so those things all work great using the ubuntu-lxc/daily ppa.	15:49
uvirtbot	Launchpad bug 1197208 in heat "Migrate Quantum references to Neutron" [Undecided,In progress]	15:49
hallyn	a. lxc-start-ephemeral minus the ephemral, becomes:	15:49
hallyn	lxc-create -t ubuntu -n orig	15:49
hallyn	lxc-clone -B overlayfs -o orig -s -n ephem1	15:49
hallyn	b. lxc clone hooks - thye should be there (in ppa), lemme check	15:49
hallyn	yup, lxc.hook.clone is there	15:50
hallyn	note the saucy lxc should be merged from upstream git in (iirc) august. stgraber is gonna strangle me soon because i can never remember the dates he has in mind	15:50
smoser	hallyn, k. thank you.	15:51
hallyn	smoser: np, shout if you need more	15:53
geser	jdstrand: I did some more tries: after chowning both the directory and dhcpd6.leases back to dhcpd (after starting it), the leases rotated now without error in syslog. So it looks like it's related to that bug you fixed in the past. (testing is time-consuming as dhcpd rewrites the leases file once per hour (hardcoded))	16:04
SpamapS	zul: is LP having issues right now?	16:04
SpamapS	zul: can't seem to get to that bug report :p	16:05
zul	SpamapS: not that i know of	16:05
zul	SpamapS: meh...that patchset seemed to got abandoned	16:06
SpamapS	zul: yeah will try to revive	16:06
SpamapS	if launchpad will talk to me. :-P	16:07
smoser	hallyn, because i'm that lazy...	16:07
smoser	lxc ppa link ?	16:07
hallyn	smoser: pad.lv/~ubuntu-lxc/daily	16:07
hallyn	nope	16:07
hallyn	not that	16:07
hallyn	https://launchpad.net/~ubuntu-lxc/+archive/daily	16:07
zul	SpamapS: you have to talk to it nicely :)	16:10
koolhead17	hi SpamapS	16:10
SpamapS	zul: and s l o w l y ...	16:10
SpamapS	[1235993.357149] systemd-hostnamed[17620]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!	16:11
SpamapS	wtf	16:11
zul	stop using fedora ;)	16:12
zul	jamespage: before you go https://code.launchpad.net/~zulcss/heat/sqile-fix/+merge/178786	16:26
jamespage	zul, +1	16:26
zul	jamespage: thanks	16:26
=== alamar is now known as julian
=== julian is now known as alamar
jjohansen	jdstrand, geser: so yes file ownership matters. However the link rule unless you stick the owner conditional won't enforce that restriction. Where you will see the restriction is apparmor's stacking with capabilities. Capabilities may require dac_override to access a file with different ownership	16:52
jjohansen	you will see capability messages with an apparmor message, and this will require a capability dac_override, permission in the profile	16:52
jdstrand	jjohansen: the weird thing is dac_override wasn't logged. maybe kernel logging is getting in the way...	16:53
jdstrand	geser: can you do sudo sysctl -w kernel.printk_ratelimit=0	16:53
SpamapS	smoser: I'm debugging a problem that has cropped up since we started building raring images....	16:53
jdstrand	geser: and report back your denials?	16:53
SpamapS	smoser: could you see a problem with having this: https://github.com/stackforge/diskimage-builder/blob/master/elements/cloud-init-nocloud/install.d/05-set-cloud-init-sources	16:54
jdstrand	jjohansen: have I mentioned how annoying kernel logging is? :P (/me knows you've mentioned it to me)	16:54
SpamapS	smoser: having trouble debugging because my console is local kvm vga and I can't see what was on it easily. :-/	16:55
jjohansen	jdstrand, geser: possible, also note the linkat message is not an apparmor message. geser is that file on a different device? you can't hard link across devices	16:55
TimR	can anybody tell me why my domain name keeps redirecting to my mail server for?	16:56
jjohansen	jdstrand: kernel logging is an absolute mess	16:56
jdstrand	jjohansen: re linkat> oh, duh-- it isn't :) I'm so used to seeing apparmor denials seeing another kernel denial was not even in my headspace :)	16:57
jdstrand	note, that is not me blaming apparmor-- that is me doing far too much profiling ;)	16:57
sarnold	something else in the kernel prints denials?	16:58
jjohansen	jdstrand: heh, no its an easy mistake to make, I had to double check it	16:58
jjohansen	sarnold: a few things	16:58
jdstrand	sarnold: 07:11 < geser> and later "kernel: [2773234.120934] type=1702 audit(1375788247.840:13): op=linkat action=denied pid=31888 comm="dhcpd" path="/var/lib/dhcp/dhcpd6.leases" dev="dm-0" ino=2757	16:58
geser	jjohansen: no, all files are in /var/lib/dhcp, dhcpd runs as dhcpd while the dhcpd6.leases is owned as root (I've chowned /var/lib/dhcp back to dhcpd so it can create the temporary file there again)	16:59
sarnold	jdstrand: wow, cool, crazy :) never seen a 1702 before.	16:59
jdstrand	sarnold: yeah, me either :) maybe I can be forgiven for thinking it was apparmor then :)	16:59
sarnold	jdstrand: definitely :) I hope I'd wonder why it feels so short...	17:00
jdstrand	I definitely thought it was a weird looking line	17:00
jdstrand	I even looked around for it in the apparmor docs, then got distracted by my rememberance of dac_override and the previous bug	17:01
TimR	anybody know the solution to my problem	17:01
sarnold	TimR: sorry, you haven't described it in enough detail to even hazard guesses. can you pastebin commands that work, commands that don't work, and what you think those ocmmands ought to do differently? maybe then someone could help..	17:02
geser	jdstrand: I can only see a dac-override message if I reproduce the state for the old bug (#1028526)	17:03
geser	the next leases should rotate in around 30 min	17:03
TimR	Ok I dont see how much more clear I can get with that issue I am having when domain name is redirecting to my mail server	17:03
sarnold	TimR: maybe pastebin your host or dig output and your zone files?	17:04
TimR	domain name and mail server is pointing at the same address	17:05
jjohansen	geser, jdstrand: its the kernel link protections	17:06
geser	jdstrand, jjohansen: when both the directory and the leases file is owned by dhcpd:dhcpd dhcpd doesn't start (old bug), with root:root dhcpd starts but can't rotate the leases file (current bug), when I change the owner back to dhcpd:dhcpd (both dir and file) after dhcpd started leases file rotating works (till restart)	17:12
geser	would chowning to dhcpd:dhcpd in the upstart job and adding the dac_override cap to the apparmor profile fix both (old and current) bugs?	17:13
jjohansen	geser: why would you chown the file in an upstart job? That is just papering over the problem	17:14
jjohansen	geser: what is the bug # of the old problem? I want to make sure I am correct in my understanding of the old issue before I answer?	17:15
geser	jjohansen: I guess it was done to ensure the right permissions, see http://launchpadlibrarian.net/111078972/isc-dhcp_4.2.4-1ubuntu3_4.2.4-1ubuntu4.diff.gz for the fix for the old bug	17:16
geser	jjohansen: old bug: bug #1028526 ; current bug: bug #1186662	17:16
uvirtbot	Launchpad bug 1028526 in isc-dhcp "dhcpd failed to start with apparmor denied: capname="dac_override"" [High,Fix released] https://launchpad.net/bugs/1028526	17:16
uvirtbot	Launchpad bug 1186662 in isc-dhcp "isc-dhcp-server fails to renew lease file" [Undecided,Confirmed] https://launchpad.net/bugs/1186662	17:16
jjohansen	jdstrand: ^ this is a problem, it runs foul of the kernels link restrictions	17:17
jjohansen	geser: so adding capability dac_override to the profile will fix any apparmor induced problems. However that is not the problem here	17:19
jjohansen	we have a conflict betwen dhcpd privilege sep, and kernel link restrictions	17:19
=== andreas__ is now known as ahasenack
geser	jjohansen: what about the owner of the leases files: dhcpd recreates it after it drops priv as user dhcpd, but dhcpd can't open if for append at startup as root (it happens before dhcpd drops priv). Who should own that file? root or dhcpd?	17:23
sarnold	eww. sounds like dhcpd folks didn't design their privsep correctly?	17:25
geser	I get slowly that impression too	17:26
jjohansen	sarnold: I agree, they have a broken priv sep design, and the only solutions are	17:29
jjohansen	1. Fix dhcpd	17:29
jjohansen	2. turn off kernel link restrictions (which I would consider only a temporary solution)	17:29
jjohansen	geser: you can temporarily fix this by setting /proc/sys/fs/protected_hardlinks to 0, please not this will globally disable kernel link restrictions	17:39
jjohansen	unfortunately this is not something we can control on a per profile or task basis	17:39
geser	jjohansen: my temporary fix for now is to remember to chown the leases file and dir back to dhcpd after I restart dhcpd or the whole server (shouldn't happen too often) till it gets fixed properly	17:42
jjohansen	geser: yeah, that is a more localized fix	17:42
=== ffio is now known as hack
=== hack is now known as nerd
jdstrand	jjohansen: you pointed me at backscroll, but I'm not sure what you were pointing to. are you saying what we did for quantal was wrong?	18:02
=== nerd is now known as baba
jjohansen	jdstrand: I am saying that the dhcpd priv sep patch is in conflict with the kernel link restrictions	18:08
jdstrand	jjohansen: yes, that seems clear now. at the time (quantal), Ubuntu dropped our privsep patch that had worked	18:09
jdstrand	and the new one behaved differently-- and I didn't want to grant dac_override	18:09
jdstrand	funny how this is only coming up now	18:10
jjohansen	yeah	18:10
jjohansen	jdstrand: its likely because of changes made to the kernel link restrictions during upstreaming vs what was in yama	18:11
jjohansen	anyways that is a guess	18:11
jdstrand	huh	18:11
jjohansen	jdstrand: just a guess as to why its surfacing now instead of before	18:11
jjohansen	jdstrand: there where some changes but I'd have to go back to the ml to figure out what they where	18:12
jjohansen	s/where/were/	18:12
geser	do you both have an idea how to fix it?	18:12
jdstrand	am I interpreting that the current workaround is to chown root:root /var/lib/dhcp/dhcpd6.leases~ if it exists, start dhcpd, then chown dhcpd:dhcpd /var/lib/dhcp/dhcpd6.leases~ after it starts?	18:12
jdstrand	(that would be insane)	18:12
jjohansen	jdstrand: yes or disable kernel link restrictions	18:13
geser	jdstrand: yes, that works for me	18:13
jdstrand	yikes	18:13
jdstrand	please file an upstream bug :P	18:13
geser	jdstrand: I did 'sudo chown dhcpd /var/lib/dhcp{,/dhcpd6.leases}'	18:13
jjohansen	jdstrand: that is because if the process has an open file handle to the file, the restrictions are applied differently	18:13
jdstrand	interesting. I have not looked at the code at all, but it seems fairly obvious that if the lease files are going to be handled as the dhcpd user, oh, I don't know, open them as the dhcpd user	18:15
jjohansen	hrmmm, actually no this one is just doing an ownership test on startup, and then ignoring that in the future	18:15
=== james_ is now known as Guest7355
jjohansen	jdstrand: yeah	18:15
geser	jdstrand: dhcpd opens the leases file, drops priv to dhcpd and does later the leases file rotation as part of normal operation	18:16
* jdstrand nods		18:17
jjohansen	geser: it makes the very broken assumption that it can hard link a file it doesn't own as part of the rotation	18:18
geser	I guess upstream assumes that dhcpd can write that file and create files in that dir	18:19
geser	but this conflicts with trying to open the leases file for append as root during the startup phase	18:20
jdstrand	well, it can-- but this is linking files and hardlink restrictions are now part of the linux kernel, so it needs to handle it correctly	18:20
jdstrand	they either need to open as root and rotate as root, or open as dhcpd and rotate as dhcpd, aiui	18:21
jdstrand	again, I've not looked at the code	18:21
geser	http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/saucy/isc-dhcp/saucy/view/head:/server/db.c#L1083 new_lease_file() does the rotation	18:22
jdstrand	geser: I think reporting the bug upstream and employing a short term workaround until they fix it is reasonable	18:24
jdstrand	(we could then cherrypick the fix)	18:24
sarnold	no O_EXCL in that open(2) call? hrm.	18:24
=== Ursinha is now known as Ursinha-afk
geser	http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/saucy/isc-dhcp/saucy/view/head:/server/dhcpd.c#L703 is where the leases file is read during startup while the privs get dropped later in line 775	18:27
=== chuck__ is now known as zul
jkew	Hi folks; I'm looking for information on some of the modifications required for running ubuntu on azure; we are trying to isolate the source of some intermittent io issues and our next step is looking at the distribution provided by microsoft.	18:49
jkew	It looks like Ben Howard is the goto person for this; but I have no idea what channels or methods I would use to ask technical questions on this matter.	18:49
geser	jdstrand: do you know if doing the chown to dhcpd call for those files in a post-startup stance in the upstart job would work? (as a ugly workaround till it can get properly fixed)	19:00
=== Ursinha-afk is now known as Ursinha
rbasak	jkew: Ben Howard is utlemming on here, or try the ubuntu-cloud mailing list	19:07
jkew	rbasak: thanks	19:08
jdstrand	geser: I don't-- I only mentioned that based on your comments	19:19
jdstrand	geser: it seems plausible and worth testing	19:19
geser	jdstrand: I tested it, but it doesn't work (unless I made a mistake with the upstart job)	19:20
geser	will file the problem upstream to get it fixed properly	19:21
geser	stgraber: do you know if it's possible to use a post-start stance in an upstart job where the daemon get started in the foreground?	19:26
mac_nibblet	Hmm, since when does ubuntu-server name it's network devices as nm ?	19:29
mac_nibblet	this is a vanila install and i have not added network-manager	19:30
stgraber	geser: I think so, though if it really starts in the foreground and doesn't send a signal back to upstart or fork at some point, I'd then expect post-start to happens immediately after the command is started, so quite possibly before the daemon is actually operational	19:30
sarnold	mac_nibblet: /etc/udev/rules.d/70-persistent-net.rules is usually responsible for NIC names..	19:30
mac_nibblet	sarnold: but is this really expected behavior ?	19:31
guntbert	mac_nibblet: I've never seen that (and it has nothing to do with Network manager as someone said)	19:31
sarnold	mac_nibblet: maybe? :) what specifically are you seeing?	19:32
mac_nibblet	file does not exist	19:32
geser	stgraber: I tried to chown some files (the isc-dhcp-server issue) as a workround after dhcpd get started but they stayed root:root	19:32
mac_nibblet	sarnold, guntbert: im wondering if i should try and just reinstall the server before i get more weird things	19:34
mac_nibblet	takes like 8 minutes to reinstall so ..	19:34
stgraber	geser: so I really think the right way is to switch the ownership of the directory and figure out exactly what's going on with apparmor that prevents isc-dhcp from doing the whole create/rename/destroy thing	19:35
guntbert	mac_nibblet: I would not expect to see different results	19:35
stgraber	geser: sarnold or jjohansen should be able to help you there	19:35
jdstrand	stgraber: we know what the problem is (it was discussed in backscroll)	19:35
jdstrand	stgraber: dhcpd is doing their priv separation wrong	19:36
geser	stgraber: it's a combination of AppArmor, dhcpd's priv sep and Kernel Link Protection	19:36
geser	during startup the file needs to belong root and during operation dhcpd :(	19:37
stgraber	jdstrand: just read the backlog now, that'd indeed explain it...	19:37
jdstrand	it really isn't apparmor, it is the kernel link protection	19:38
stgraber	note that ISC isn't terribly good at fixing bugs or giving any feedback outside of security issues	19:38
stgraber	getting an upstream priv dropping code took over 2-3 years so having it changed/fixed may take just as long	19:38
stgraber	so we should either look into fixing that and carrying a patch until they eventually merge it or find a robust workaround (I don't want that bit to be racy in 14.04)	19:39
geser	omg, perhaps we should add some chown calls before dhcpd calls setuid()	19:39
geser	jdstrand: without AppArmor we could let dhcpd own those dir and files (AppArmor was the reason they got changed to root:root)	19:41
jdstrand	I hope you aren't suggesting dropping apparmor :)	19:42
jdstrand	it needs to either open and rotate the files as dhcpd, or open and rotate the files as root	19:43
jdstrand	opening as root and rotating as dhcpd is the problem	19:43
geser	jdstrand: certainly not suggesting it	19:43
geser	jdstrand: what about changing the owner of those files before calling the setuid()/setgid()?	19:44
jdstrand	they are probably opening as root and handing off the fd as a security protection	19:44
jdstrand	geser: that should work-- sarnold ^	19:45
stgraber	In an ideal world dhcpd should own /var/lib/dhcpd and not open any fd until after it's done dropping privileges	19:45
sarnold	yeah, I like stgraber's ideal world :)	19:46
stgraber	the main/only reason why it even needs to run as root is to open a raw network socket, so it really should do that and then drop privs like any proper daemon should	19:46
jdstrand	that's what I was suggesting with opening as dhcpd	19:46
stgraber	and I think that's the patch we should apply to Ubuntu, get into Debian and forward to ISC so maybe one day it'll be done properly upstream	19:47
jdstrand	wfm	19:47
=== Ursinha is now known as Ursinha-afk
stgraber	geser: if you want to have a try at doing this, feel free, if not, please comment in the bug report (I think you mentioned one earlier right?) and assign to me so I have it on my todo	19:48
geser	jdstrand: dhcpd has an option to check the validity of the leases file and it does it before it does its deamonizing	19:48
stgraber	(I'm on vacation until Thursday and at Debconf next week but I may find some quiet time to do that anyway or will look at it once I'm back home on the 20th)	19:49
geser	stgraber: will add my findings to the bug tomorrow and see if I can code a workaround	19:49
sarnold	stgraber: oh nice, enjoy your vacation and debconf :)	19:50
jdstrand	seems like that check should definitely be done as non-root	19:51
geser	I agree, so dhcpd can complain if it has access issues to the leases file when run as non-root	19:52
=== james_ is now known as Guest20713
=== Ursinha-afk is now known as Ursinha
SpamapS	smoser: need your opinion about a problem we're seeing...	21:44
SpamapS	smoser: so the problem from earlier is that we don't have a serial console defined on some of the vms we boot..	21:44
SpamapS	smoser: when that happens, anything that uses 'console output' fails because /dev/console is inoperable	21:44
SpamapS	smoser: it is inoperable because cloud images specify console=tty1 console=ttyS0...	21:45
SpamapS	smoser: is it reasonable to expect the cloud images to boot w/o a serial device? (I think.. yes)	21:45
utlemming	SpamapS: this seems more like a bug for Ubuntu	21:47
utlemming	but I would agree that that shouldn't trigger a failure	21:47
smoser	https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1123220	21:48
uvirtbot	Launchpad bug 1123220 in cloud-initramfs-tools "cloud-image VM causes kernel panic if image is resized" [Low,Triaged]	21:48
smoser	thats the bug	21:48
smoser	and you can read the email thread on it.	21:48
smoser	SpamapS, ^ you see that ?	21:53
smoser	the simplist solution is "well attach a serial device for petes sake!"	21:54
* smoser has to go to bed, but there is a very complete email thread attached to that bug.		21:55
smoser	it is very much less than trivial to accomplish what we want.	21:55
smoser	and i'm open to any ideas.	21:55
SpamapS	smoser: in the past we had a different kernel bug that required us to not have a serial device.. ;)	22:02
SpamapS	smoser: thanks for the bug link. That is in fact the bug I was looking for.	22:11
hadifarnoud	I followed this guide http://pleasefeedthegeek.wordpress.com/2012/04/21/l2tp-ubuntu-server-setup-for-ios-clients/ for L2TP vpn. it connects but I cannot access any website. I think step 3 is wrong. can anyone help?	23:50

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!