=== freeflying is now known as freeflying_away === freeflying_away is now known as freeflying [02:59] best way to explicitly allow a python script to write image files into a directory? [02:59] should I be giving the user executing the python files chown of the script and the dir? === freeflying is now known as freeflying_away === freeflying_away is now known as freeflying [04:59] hey all, I've been fighting with some remote service issues and I can't get my SSH keys to be used, every time I push/change a key, log out and back in in, the server is asking for a password even though i know for a fact a valid key exists on both the server and my desktop [05:00] this happens even when I do a raw SSH connection [05:01] resno: that depends on your needs and your funds. how worried are you about data security? === peter is now known as Guest60662 [06:33] Hola. I am migrating a couple sites from a cPanel server to an ubuntu server and I need to setup email accounts for each domain. I don't have to make it super easy to maintain or anything, but is anyone aware of any guides or anything specific to look for on this subject? === caribou_ is now known as caribou === smb` is now known as smb [08:16] I am able to telnet localhost 25 but I am not able to telnet domain.com 25 from my local computer. I've checked the firewall (iptables) and it appears to be appropriate. Even without any rules defined I find the same result. Trying to figure out what else might be at play [08:16] any random stabs in the dark? [08:17] It seems I am able to send mail out, but still unable to confirm that a response can be received back [08:23] ah, my ISP is blocking port 25 [08:23] and the return email has been received.. delicious [08:31] does anyone has any experience with eurephia plugin for openvpn? :) [08:43] Hello, I've instaled mkfs.xfs on my raid, and I'm reciviing this message : http://pastebin.com/rVWnpwwN [08:43] What can I do to fix the problem? === freeflying is now known as freeflying_away [09:30] hallyn: is there any plan to fix bug 1207675, causing smoke failure on saucy server.. [09:30] http://reports.qa.ubuntu.com/smokeng/saucy/server/4419/lxc/429415/ [09:30] Launchpad bug 1207675 in ubuntu-test-cases "test_lxc_api test fails during container creation " [Undecided,New] https://launchpad.net/bugs/1207675 === freeflying_away is now known as freeflying === aqwxcv is now known as T4h [11:02] hello,I want to search all the file with attr ---i----,but find command seems could not do that. [11:04] my server has been hacked.and I found some file with the attr --i----.so I want to search all the file . [11:05] litsand: you mean the immutable bit? [11:05] yes. [11:05] if your server has been hacked, you should wipe it and reinstall [11:06] theres no sure way to tell if you got rid of all the stuff [11:06] you could just navigate to the root of the directory structure you want to search and use lsattr -R | grep "-i-" [11:06] as a quick hack [11:06] Ben64: thats not really an option usually :) [11:06] it should be [11:06] also you don't know what security measures are in place [11:06] apparently not enough [11:06] for example I use chrooted webfolders for shared servers [11:07] single site gets hacked due to an old CMS or guessed/leaked password, only 1 site is compromised [11:07] no need to reinstall the server due to that [11:07] yes there is [11:07] if they got root who knows what they could have done [11:07] as you don't know what the exploit has done [11:07] of course you will need to do additional checks, have some form of intrusion detection system, external logging [11:07] it is the only way to have confidence [11:07] you can't "check" after the exploit [11:08] yes you can [11:08] its called forensics [11:08] what if they modified executables [11:08] I'm sorry but I disagree as the tools you use are not to be trusted [11:08] Sling thanks.thanks all~ [11:08] who says you use tools on that system [11:08] don't assume so much :) [11:08] and Ben64, they didn't get root in that case [11:08] you have to be realistic abou tit [11:08] you're not going to start pulling disks out of other machines [11:08] most 'hacks' are not due to root access being compromised [11:09] but due to FTP accounts being compromised [11:09] depends on the situation of course, but from my experience with shared hosting setups [11:09] assuming best case scenario is asking for trouble [11:09] you don't know though [11:09] you can't assume they didn't get root [11:09] or they didn't do something [11:10] .. [11:10] it's all "guess" or "hope" the only way is to do a clean install or as you say move the data to another machine and check it properly [11:10] did you read what I wrote? [11:10] external logging, forensics [11:10] the time it would take to go through every file and make sure its ok, you could have reinstalled everything already [11:10] also, there is selinux/grsecurity and mounting system files readonly, etc [11:10] not on ubuntu [11:10] you don't need to go trough every file [11:11] ikonia: what not on ubuntu? [11:11] selinux by default [11:11] no, not by default [11:11] ^ ^.I think it is a hard way to clean a hacked server.But there is also a way to do it.It depends on your skills. [11:11] litsand: Error: "^.I" is not a valid command. [11:11] you'd need to set that up - which doing so post copromise seems invalid [11:11] but a default install is not what you use in a hardened production environment [11:11] if you do use the default, then sure reinstall [11:11] and of course you dont do that post hack, obviously [11:11] and you say i'm assuming too much... [11:11] pretty much everyone who says "I've been hacked" in this channels is due to using defaults [11:12] perhaps im not used to the ubuntu level of sysadmins :) [11:12] Sling: yes, you'll find the people who know what they are doing/don't use defaults are not in a channel asking "I'm hacked what do I do" [11:14] all right.thanks for your help.I got what i want. === Guest4285 is now known as Lartza [12:08] hi guys, i've used BIND (named) and dnsmasq for a while now, and i'm contemplating setting up a nameserver for a new domain i've purchased. no question i can set it up with BIND, but i'm wondering if others have (good) experience with another name server soft? [12:19] aandy: the "internet" uses bind....for a reason [12:20] e.g. that it managed large zones ;) [12:21] aandy: There are some people who prefer PowerDNS, since it allows them to user other backends than flat files. [12:22] andol: ah, hadn't heard of powerdns. i'll check it out, thanks [12:23] aandy: But most important, do you know why you want to run your own authorative DNS servers, instead of just going with a DNS hosting provider? There are some good reasons to run your own DNS, but it does require a bit of an effort to get it good enough that you actually benefit from it. [12:24] aandy: Of course, learning can itself be a good enough reason :) [12:31] andol: yes, i'm aware. i'll might need an "easier" way to administrate subdomains. i also might not, but either way i'd like to give it a go :) so yeah, learning is a big part of it [12:32] i've run some reverse dns zones before, and two domain zones (both in bind), i just wanted to check if there were alternatives - not because bind sucks ;) [12:34] aandy: Fair enough. Just throught that last comment out there since you never know with random people on IRC, and because I have definetly seen people who shouldn't run their own DNS do so. [12:39] andol: hehe, duely noted, and i appreciate your concern. depending on how this project pans out, we might not even need it. but we probably will === s is now known as Guest72408 [13:09] adam_g, how much have you tested the havana support across the charms? hitting a context call ordering issue with neutron [13:09] neutron < nova and neutron packages get called in the nova context.... [13:09] (nova-compute charm) [13:12] jamespage: new novaclient coming down the pipe [13:12] zul, great [13:12] psivaa: oh, hm. please do mark those as also affecting lxc, else i don't find them. [13:12] Not obvious from the report what is actually failing, will have to reproduce [13:15] hallyn: ok, ill mark it as affecting lvm [13:15] *lxc [13:15] jamespage: btw i got the glance tests working again on friday so i can melt your laptop for you [13:18] jamespage/roaksoax: https://code.launchpad.net/~zulcss/python-novaclient/2.15.0/+merge/187233 [13:34] for people with servers in a datacenter, do you do backups onsite? off site? and where do you handle montiroing? [13:37] depends on many things, it's part of estate planning [13:46] jamespage/roaksoax: https://code.launchpad.net/~zulcss/keystone/oauth-refresh/+merge/187239 [13:56] adam_g, urgh - I'm getting lost in how the quantum/neutron stuff works in nova-compute === freeflying is now known as freeflying_away [14:23] psivaa: remind me, is the utah testsuite only run on saucy? [14:24] hallyn: no, as a host raring, precise also work [14:26] hallyn: i mean utah can be installed and run on raring as well and our test servers are precise machines [14:26] psivaa: test servers are precise, but they run the tests on saucy vms don't they? [14:27] hallyn: right === hatch_ is now known as hatch [14:41] I've mounted the backuppc pool on a seperate raid1 disk, yet it seems that space used on /var/lib/backuppc is also being count on the actual /var partition: http://dpaste.com/1394441 Why is this happening, and how should I fix it? [14:55] ihre: the ncdu output you are wondering about? [14:56] I mean, the df output looks like of as expected? [14:59] andol: well, after I've unmounted /var/lib/backuppc, df -h still shows 14G in use on /var, while ncdu reports ALOT less [15:00] ihre: Perhaps you really have 14G under /var, not counting /var/lib/backuppc? [15:03] ihre: That the problem being that ncdu isn't diplaying that for some reason. Also, instead of looking at /var from within you might get a truer result by looking at from the outside, like doing ncdu /var alt du /var. [15:04] ihre: Could possibly also being an issue with unlinked inodes still being kept alive due to some process still having a hold on them, that being reported differently by (nc)du vs. df [15:05] hallyn: i assume you've been able to reproduce the bug? [15:05] andol: I'm running du -hsx /var at the moment, i'll report it asap [15:05] psivaa: a bug, yes. just pushed a fix, now to test it :) [15:05] hallyn: ack, thanks :) [15:05] andol: du -hsx /var: 2.7G /var/ [15:06] andol: How can I check for unlinked inodes, then? [15:08] Not sure what the best option is, but I've used lsof now and then to figure such things out. [15:08] Depending on the machine in question you could always reboot of course :) [15:10] sure, but this is the second time it is happening now [15:11] psivaa: yeah that fixed the lxc_test_api which was the first failure I hit. I'm going to mark it fix resolved in the bug, but if you hit another one pls do reopen. [15:11] ihre: In that case I don't know. [15:12] hallyn: ok, will do [15:12] thanks :) ttyl [15:12] * hallyn biab [15:12] andol: thanks anyway, i'll start digging into unlinked inodes then [15:39] smoser, jamespage fyi I added caribou to a the meeting for a regular slot on "Server and Cloud bugs" that need some focus on, and aren't covered in the development section [15:40] https://wiki.ubuntu.com/ServerTeam/Meeting updated [15:40] arosales, ok [16:06] Hi all. I have a question related to the nice piece of software known as AppArmor. Is it somehow possible to list the apparmor rules for a process currently being active ? [16:06] (I need to make sure that all my rules have been properly loaded) [16:08] jamespage, the idea was that places where things had been named quantum-* (eg, config-get quantum_plugin , relation-get network_manager) would first query for the new neutron_* variation, then legacy quantujm_* [16:08] linuxr: list what is in the kernel? No, they are compiled into a an atomata. Saucy's kernel has a new feature that exports a hash value for each profile, you can use a userspace tool to compare the userspace compile to what is in the kernel [16:08] adam_g, getting my head around it slowly [16:08] *its hard* [16:09] adam_g, I just pushed a few more havana fixes for glance and cinder [16:09] the keyring for ceph was getting created with restricted permissions causing the daemons to stop [16:13] jjohansen, who is saucy? :) [16:14] linuxr: sorry saucy salamander is the development name of ubuntu 13.10 [16:14] ah lol..okay jjohansen , thanks! [16:15] adam_g: something weird with your merge request for troveclient [16:19] jamespage, http://paste.ubuntu.com/6150766/ this should be what determines whether or not nova-compute is using quantum, neutron, or flatdhcp [16:19] jamespage, _network_config() is basically just getting ['network_manager', 'neutron_plugin', 'quantum_plugin'] from the cloud-compute relation [16:20] adam_g, gotcha [16:20] adam_g, hitting a bug right now with havana [16:21] /etc/neutron is not created by the time the charm tries to write neutron.conf [16:23] jamespage, you got a paste by chance? [16:28] Hi. I'm in charge of techy stuff in a small university lab with several workstations. Authentication is done by NIS on our fileserver (10.04). If this server dies for whatever reason, no one can log in, obviously, but how do I go about making a local admin account (perhaps root) that CAN log in without NIS? [16:29] I've setup a local user in /etc/passwd, but logging in with that user when the NIS server is down, just hangs [16:38] ancaster: your /etc/nsswitch.conf file determines what authentication backends are used [16:38] what does it look like now? [16:38] passwd/group/shadow are all compat [16:39] no references to nis ? [16:39] no.the last line in the workstations' /etc/passwd file is: +:::::: [16:40] i was under the impression that that signifies an NIS lookup [16:42] it does, but its not really the 'modern' way of configuring this ;) [16:42] it doesnt allow for shadow passwords, also it needs to query the NIS server every time a UID/GID is looked up [16:43] i see [16:43] so you might want to investigate using nsswitch instead, which allows to you specify 'nis files' to try file-based authentication when nis is unavailable [16:44] ah, lovely. [16:44] or 'files nis' if you want to use file-based auth primarily, and use NIS for any accounts that aren't present in /etc/passwd [16:44] yeah, i think that's how i'd like it to work. [16:45] I was looking at the ubuntu wiki for help, but i guess it's misleading: https://help.ubuntu.com/community/SettingUpNISHowTo [16:45] As it talks about setting up the /etc/passwd file as we have [16:45] its outdated I reckon [16:46] http://tldp.org/HOWTO/NIS-HOWTO/settingup_client.html#AEN313 [16:46] As a general rule do you normall go to tldp for up to date documentation? [16:46] no, this was just from googling [16:47] i usually just go to the project's own documentation site/wiki/whatever [16:47] okay. [16:47] thanks so much for your help. [16:47] no problem [17:40] Hi all, I'm trying to configure a KVM bridge for a KVM host. The twist is that the primary interface I want to use a bridge with is a bond (802.3ad). I'm having trouble getting this to work and there seems to be a sparse amount of information on this topic online. Any thoughts? [18:17] hello all, i'm having an issue working with SSH keys, no matter what I've tried my desktop is always asking me for a password when SSHing out to another machine I have 4 machines that i really need ssh access too, one is for a private git [18:17] i'm to the point of nearly crying over why I cant f***ing ssh into any, ANY machine from my desktop [18:19] gartral: does ssh-add -l show your key added to the local keychain? [18:19] sarnold: yes [18:20] gartral: are permissions on your home directory, ~/.ssh/, ~/.ssh/* directories and files all correct on the servers you're trying to log in to? (sshd is very picky, group write access is not allowed...) [18:22] sarnold: yes, i ran chmod -R 600 ./.ssh on the server and my desktop [18:25] gartral: hrm, 600 isn't right either :) 700 for ~/.ssh, 644 for ~/.ssh/authorized_keys 600 or 400 for ~/.ssh/id_rsa... [18:31] utlemming, manjo had a qustion for you about our cloud images and arm. [18:31] adam_g: https://code.launchpad.net/~zulcss/python-novaclient/2.15.0/+merge/187233 https://code.launchpad.net/~zulcss/cinder/cinder-fix-ftbfs/+merge/187236 and https://code.launchpad.net/~zulcss/keystone/oauth-refresh/+merge/187239 [18:32] i'm not sure ifyou can answer or not... wish rbasak was around. [18:32] zul, ack [18:32] zul, any luck with python-cliff? [18:32] adam_g: yeah just trying out now [18:33] mango: what's up? [18:33] manjo: ^ [18:33] utlemming, trying to use our armhf builds to boot on ARM using kvm/qmeu but I don't seem to be able to get a prompt ... followed the wiki & smoser 's blog [18:33] utlemming, ci images [18:33] sarnold: it's STILL asking for my damn password! [18:33] utlemming, so the Q is does our std build ci images work on arm ? [18:34] manjo: it should....it defaults to the serial console though [18:34] manjo: are you on bare metal? [18:34] utlemming, I set serial to stdout [18:34] manjo: what is the device type that you're using? [18:35] utlemming, dev/kvm ? [18:35] manjo: so this is kvm on arm? [18:36] yes that is correct [18:36] ARM system using dev/kvm booting armhf ci images using qemu [18:37] utlemming, I used smoser 's instructions on wiki and his blog .. both seem to print some messages wrt to audio drivers and then no promt [18:37] why is something that used to be so freaking simple being such a pain now [18:37] so I get bunch of messages about ALSA etc ... and then nothing more [18:37] manjo: can you file a bug with what you're seeing? [18:37] zul, did anything come of that patch to avoid the oauth requirement? [18:37] utlemming, yep can do right away .. who would I assign that to ? [18:38] manjo: me [18:38] ok great will do [18:38] manjo, you get the kernel to boot ? [18:39] manjo, get a kernel console log. boot with a serial device logging to a file. [18:39] smoser, I am guessing it is booting coz it prints some alsa messages .. which I am guessing comes from the kernel [18:39] smoser, ack [18:39] smoser, I did something like -serial stdio [18:40] smoser, so can I say -serial /tmp/foo ? [18:41] -serial file:serial.log [18:42] smoser, ack [18:51] sarnold: any other ideas? [18:51] smoser, -serial file:log does not have anything written to it [18:51] gartral: try ssh -v to see if there's helpful messages? [18:52] manjo, how are you running it ? [18:52] udo qemu-system-arm -machine vexpress-a15 -cpu cortex-a15 -enable-kvm -m 512M -kernel /boot/vmlinuz -append "console=ttyAMA0 earlyprintk=serial root=/dev/mmcblk0 ro rootfstype=ext4" -serial file:serial.log -initrd /boot/initrd.img -drive if=sd,cache=writeback,file=./disk.raw -net nic -net user,hostfwd=tcp::2223-:22 -display none [18:53] sarnold: I have hang on http://paste.ubuntu.com/6151087/ [18:54] smoser, does that look sane ? [18:56] well i would teel the kernel to write to ttyS0 [18:56] not ttyAMA0 [18:56] but i really dont know anything. [18:56] smoser, cat /proc/cmdline [18:56] console=ttyAMA0 nosplash [18:57] gartral: are you sure your server supports DSA keys? [18:57] sarnold: I've tryied both rsa and dsa keys [18:57] smoser, does not make a diff with ttyS0 either [18:58] sarnold: and it isn't saying key refused, it's *JUST* giving me a password prompt, with keys that aren't passworded [18:58] sarnold: also, this is happening on ALL servers that i'm trying too connect to [18:58] gartral: do the servers log anything? [18:59] manjo, what ubuntu release is 'disk.raw' ? [18:59] saucy [18:59] current [19:00] generated as per instructions on wiki page https://help.ubuntu.com/community/UEC/Images#ARM_Images [19:00] smoser, don't know why serial captures nothing either [19:01] adam_g: http://people.canonical.com/~chucks/ca/ [19:02] utlemming, smoser so you are able to use std ci images on intel with kvm/qemu ? [19:02] with saucy is what I meant to ask [19:03] zul, +1 [19:04] zul, what was the review for the keystone patch that made extension's python deps optional? [19:04] can't seem to find it [19:04] adam_g: gimme a sec [19:04] manjo, cloud images work fine on intel with kvm. yes. [19:04] zul, wait [19:04] zul, dont upload! :) [19:04] intel (amd64 or i386) [19:04] keystone? [19:04] manjo: I have a mtg, but i'll look at this after [19:05] zul, cliff [19:05] zul, it just ftbfs in precise PPA [19:05] manjo: if you can give me a few hours, I'll get you an answer [19:05] ok [19:05] adam_g: yeah it needs to depend on a newer version of cmd2 [19:05] just noticed lemme fix this in saucy and then ill re-upload it to the ca === kenneth is now known as Guest93406 [19:19] if I make a symlink to a file, can I edit it though FTP transparently? [19:19] through* [19:21] izanagisan: some ftp servers may chose to not follow symlinks. [19:22] hallyn: ping [19:22] crap. I just don't want to FTP directly to the config folder where this particular file is [19:23] it's caused hell in the recent past [19:25] zul: . [19:25] hallyn: if you specify a lxc.console = in your lxc config does the file get created for you when the container starts? [19:27] zul: no [19:27] hallyn: ok just double checking im doing the write thing here [19:28] maybe [19:29] zul: yeah it creates it if it doesn't exist [19:30] (actually, if it can't write to it) [19:30] ah cool [19:30] one less step for me === Ursinha is now known as Ursinha-afk === Ursinha-afk is now known as Ursinha === kenneth is now known as Guest80819 === SJrX is now known as SJr [20:35] manjo: did you file a bug? [20:35] manjo: I'm able totake a look at it now [20:35] anyone here have experience with cloud-init in EC2? I am trying to create a custom AMI based on the official Ubuntu Precise AMI. when I start up my new AMI, cloud-init does not seem to trigger. I want it to run, set up puppet and trigger a run. I'm creating the AMI by launching an instance, letting cloud-init and then puppet run to configure it, and using the ec2-bundle-vol command. [20:36] utlemming, sorry got pulled into a call ... I will file asap and ping you === mikal is now known as annegentle_proxy === annegentle_proxy is now known as mikal === ancaster is now known as NinjaCoder12 === NinjaCoder12 is now known as acidburn [21:26] is it possible to force a server to identify specific physical disks as specified /dev/sda /dev/sdb? I have a system with 10 disks and I'd like 2 specific physical disks to be identified (which happen to be different make/models) as /dev/sda /dev/sdb [21:27] I realize after the disks are identifed I can use UUID....but right now I'm building software RAID arrays using mdadm....and having things "orderly" might help my sanity === freeflying_away is now known as freeflying [21:39] urthmover, check out udev [21:39] really though, I wouldn't bother [21:52] ok [21:52] thanks patdk-wk [21:54] anyone here have experience with cloud-init in EC2? I am trying to create a custom AMI based on the official Ubuntu Precise AMI. when I start up my new AMI, cloud-init does not seem to trigger. I want it to run, set up puppet and trigger a run. I'm creating the AMI by launching an instance, letting cloud-init and then puppet run to configure it, and using the ec2-bundle-vol command. [21:55] If you're bundling something that has already booted you might have to clear state out of /var/lib/cloud, IIRC. [21:57] I did that. I exclude /var/lib/cloud/instance and instances. [22:00] what's the best way to re-run cloud-init? [22:01] You could probably just re-run the init script. [22:01] I'm doing that and it seems to do nothing. [22:02] So much for that idea, then. [22:02] returns 0 and logs nothing. [22:02] * gholms lets someone more knowledgeable about cloud-init+upstart answer [22:02] heh, thanks :) [22:06] oh here we go [22:07] the log says config-puppet already ran config [22:09] I feel like there must be some other lockfile that is stopping it from running. [22:09] I wish I could figure out a debug mode. [22:10] sudo reboot <<< for the 5th time today, thinking of running jest plain debian wheezy already..... rant [22:11] autojack: there's always something interesting on smoser's blog posts, but I don't know off-hand if he's written anything targetted directly at what you're doing.. check this out though: http://ubuntu-smoser.blogspot.co.uk/2013/02/using-ubuntu-cloud-images-without-cloud.html [22:13] sarnold: thanks! I don't see anything in there that applies though. I AM running this on EC2. I'm just trying to create a modified instance. [22:14] autojack: one of the comments abour changing user / group information looked more useful than the contents of that specific post.. [22:15] aha [22:18] AHA [22:18] I figured it out! [22:18] as the Angry Video Game Nerd would say, "ASSSSSSSSSSS!" in a mid-west accent. [22:18] first of all, I needed to exclude /var/lib/cloud/sem from my manifest. [22:18] second, I needed to exclude /var/lib/puppet/ssl apparently. [22:19] sheesh. [22:20] how do i get my ubuntu server to cook me some bacon? [22:20] sudo make me a sandwich^W^Wbacon [22:21] haaaa yes thats the command I was looking for thank you..... === freeflying is now known as freeflying_away === freeflying_away is now known as freeflying [23:39] autojack, cloud-init should "just work" and re-run first boot stuff after being captured. [23:39] there is not necessarily a reason to rm -Rf /var/lib/cloud, but its fine to do that. === freeflying is now known as freeflying_away [23:41] autojack, config-puppet really should run "per-instance". [23:41] meaning it should run any time there is a new instance-id found. === freeflying_away is now known as freeflying