[00:02] @andygraybeal did you try a reconfigure? [00:02] on postgres yes [00:02] no interactive questions? [00:02] but it didn't pop up any message saying to set a paassword or anything [00:02] i'm going to purge [00:03] ok [00:03] yea, no interactive quesitons [00:03] thank you for the response [00:03] I have RT4 installed too, but can't remember how I installed it [00:04] yea, i've done it several times [00:05] you use it?!!?!! [00:05] yes! :) [00:05] awesome!! [00:05] ^5 [00:05] i love it [00:05] i can't be without it myself. [00:05] i just bought a linode host, and i have it up and running over on an ec2 instance. [00:05] it's a bit clumsy and ugly, but it flexible beyond belief [00:05] yeh, that's what I do, EC2 [00:06] i agree with the clumsy and ugly.. but i still love it... [00:06] can you recommend the best way to purge stuff in ubuntu? [00:07] i want to start over again :) [00:07] without setting up another instance [00:07] ah, I hate package management... sudo apt-get remove --purge package ? [00:07] k [00:07] thank you [00:08] I think it will only remove the package you specify, so you have to figure out dependencies. I think aptitude may be cleverer at figuring it all out [00:08] you can check your apt logs though [00:08] aah aptitude.... [00:09] i'm not used to that [00:11] gah.. it keeps bitching about sqlite, and i never installed it [00:11] i was trying to use postgres.... [00:11] i hate this stuff [00:11] i'll just try different things and be persistent... === markthomas_zz is now known as markthomas [00:19] yay!!!!!!! gdi2k it worked... i was doing apt-get purge.... and aptitude made all the idfference === markthomas is now known as markthomas_away [01:48] Hi, is this the right place to ask about bug in cloud-archive? [01:50] itzikb: its a fine place to ask that [01:52] Thanks. I opened two bugs: https://bugs.launchpad.net/cloud-archive/+bug/1255420 , https://bugs.launchpad.net/cloud-archive/+bug/1257732 and I wonder how can I help to solve them [01:52] Launchpad bug 1255420 in cloud-archive "Neutron Mellanox plugin package is missing" [Undecided,Confirmed] === markthomas_away is now known as markthomas === markthomas is now known as markthomas_away === thumper is now known as thumper-afk === markthomas_away is now known as markthomas === gfrog_afk is now known as gfrog === thumper-afk is now known as thumper [04:39] I am now offering free psyBNC access type !bnc to learn more. [04:42] I am now offering free psyBNC access type !bnc to learn more. [04:42] !spam|Free_psyBNC, [04:43] Free_psyBNC, please stop spamming the channel [04:43] Free_psyBNC, and stop PM spamming me [04:45] No one wants a free bnc including one that no one has no idea about. [04:45] .. [04:45] KnownSyntax, suspect that's a bot, but you are spot-on === markthomas is now known as markthomas_away [05:10] Hey do I set the default sound card? === thumper is now known as thumper-afk === gfrog is now known as gfrog_meeting === markthomas_away is now known as markthomas === markthomas is now known as markthomas_away === markthomas_away is now known as markthomas === gfrog_meeting is now known as gfrog === geser_ is now known as geser === thumper-afk is now known as thumper === ikonia_ is now known as ikonia === hXm is now known as hxm === wizonesolutions_ is now known as wizonesolutions === Tribaal_ is now known as Tribaal [11:00] zul, libunwind build failure is isolated to just test-01 [11:01] so I've bypassed it and backported manually for the time being [11:01] openvswitch is fine in icehouse-proposed so ignoring that issue for the time being as well [11:03] zul, adam_g: gonna sync up icehouse-proposed [11:04] zul, it would be good if we can get the other packages through into trusty [11:29] jamespage: http://status.ubuntu.com/ubuntu-t/group/topic-t-servercloud-overview.html seems incomplete? Eg. https://blueprints.launchpad.net/ubuntu/+spec/servercloud-1311-maas is missing from it. Do you know what we need to do to hook everything up? [11:29] jamespage: I was looking for a mongodb/arm64 work item to assign myself to it, but I can't find anything easily right now. [11:30] rbasak, its on https://blueprints.launchpad.net/ubuntu/+spec/servercloud-1311-juju [11:30] I thought that only approved blueprints got onto status.ubuntu.com [11:30] but it seems that's not the case [11:30] arosales, ^^ any ideas? [11:30] jamespage: thanks! [11:31] jamespage: I'll start on the mongodb package, I assume, and then we can port any patches to juju-mongodb? [11:31] rbasak, yes - but you will need to make it use the embedded libv8 copy [11:31] It looks like a first step would be to switch to gcc intrinsics for everything, which I can test (as best as is possible) on armhf too, and then send upstream. [11:32] (that's what we do for the juju-mongodb package currently stuck in -proposed due armhf build failure :-)) [11:33] v8 looks like a major porting effort :-/ [11:34] I don't see any 32-bit arm implementation either. Am I missing something? [11:35] Ah. The archive's v8 source has it, but not mongodb's embedded source. [11:52] rbasak, there is a 32 bit arm version in upstream v8 [11:52] jamespage: yeah, spotted it, thanks. [11:52] that appears to have been stripped our as part of vendorfication [11:53] jamespage: so from my initial look, it seems to me that v8 has no interpreter mode, and doing the JIT stuff involves a major porting effort. [11:53] rbasak, mwhudson is looking at whether we can drop the v8 requirement for un-ported archs [11:53] and run without that bit of the mongo shell [11:53] might work [11:53] jamespage: OK, shall I focus on the non-v8 part for now, then? [11:54] That bit I can chug through, I think. [11:54] rbasak, I think that would be good [11:54] +1 [11:55] zul, did you miss horizon last week intentionally? [11:55] or do I still need to ack a MP [11:55] I probably do don't I [11:56] zul, commented on https://code.launchpad.net/~zulcss/horizon/2014.1.b1/+merge/197957 [11:57] zul, I don't see an upload for glance either - although the MP is merged [12:03] yolanda, that sounds better - yes [12:03] ok [12:03] i will do a try [12:08] jamespage, nova is FTBFS? wanting to add the patch there, but cannot build [12:08] yolanda, can you leave this until icehouse-1 is out of the door - should be today/tomorrow [12:08] jamespage, ok [12:09] there is a pending MIR that needs to complete [12:09] can i do it with other packages? [12:12] yolanda, nova ftbfs? [12:12] that was one that did go through [12:13] yolanda, oh - in the lab? [12:13] yes, in the lab [12:13] jamespage, using the ubuntu-server-dev packages to add the banners, am i right? [12:13] yolanda, well you could fix that problem at the same time - its probably just a patch refresh or drop [12:15] ok, i'll take a look === Ursinha-afk is now known as Ursinha [13:16] jamespage, what do you think should be the best way to show distribution on python? as i cannot send a var to precompiler as other languages, I was thinking in patching the file i need with some placeholder, and then do a sed to replace with right vars on debian/rules [13:16] can you think on something better? [13:21] when I try to install zram-config on Ubuntu 13.04 VPS I get this error: [13:21] invoke-rc.d: initscript zram-config, action "start" failed. === gary_pos` is now known as gary_poster [13:30] ice9 what did you expect? that seems a very valid result [13:30] yolanda, not quite sure what you are trying to achieve patching python itself? [13:30] or is this a general how do I do the banner for a python app thing? [13:30] patdk-lap, you mean because 13.04 doesn't support zram? [13:31] no, cause you are using a vps [13:31] jamespage, patch is done in wsgi.py file, but i don't want to hardcode ubuntu [13:31] so i was looking for a way to dynamically set that [13:31] in other packages i was just sending a var to preprocessor using makefile, but with python i'm not sure on how to do it [13:36] patdk-lap, so now how do I remove zram from apt-get is it's not installed and still giving an error when installing any other package [13:36] that I don't know [13:38] oh my god i hate the winter [13:41] yolanda, http://paste.ubuntu.com/6545838/ - that's what I see as test coverage for heat right now [13:41] mm, let me check if i haven't pushed [13:44] zul, cinder and nova need a dependencies version review - how's that tool coming along? [13:44] jamespage: delayed [13:44] staging to proposed is a great place to spot these things [13:44] jamespage: six? [13:44] jamespage, are you grabbing from here? ~yolanda.robla/charms/precise/heat/trunk/ [13:44] 2cheeks [13:44] i don't have anything to push, and my coverage shows 85% [13:45] zul, yup [13:45] ditto on wsme [13:45] jamespage: ack [13:45] jamespage: we need to fix something for horizon after i get it uploaded today [13:45] i see heat_context tests differently: heat_context 34 8 76% 27, 34-40, 43-44 [13:46] jamespage: http://pastebin.ubuntu.com/6545845/ [13:46] zul, oh great [13:46] that old chestnut [13:47] yep [13:49] jamespage: i opened #1259166 because of it [13:50] bug 1259166 [13:50] Launchpad bug 1259166 in horizon "Fix lintian error" [Undecided,New] https://launchpad.net/bugs/1259166 === Pici` is now known as Pici [14:01] jamespage: https://code.launchpad.net/~zulcss/horizon/2014.1.b1/+merge/197957 [14:01] zul, you need to include the new assets [14:02] argh [14:38] jamespage: done.. [14:39] jamespage: wrt to waittress, the tests run fine locally but doesnt run in a build, ive added dep8 tests for them and ill ping mterry about it [14:47] jamespage: lemme know when you get back [15:09] zul: bug https://bugs.launchpad.net/ubuntu/+source/ipxe/+bug/948323, do know what path xen looks for for ipxe roms? does it look for /usr/share/qemu or /usr/lib/ipxe? [15:09] Launchpad bug 948323 in ipxe "Rom images for e1000 and ne2k missing vendor and device id" [Low,Fix released] [15:09] i'm wondering whether we still need that delta from debian [15:09] /usr/share/qemu i think [15:10] smb: ^^^ [15:10] hallyn_, Probably yes as long as the xen build getting those for xm path [15:10] And yes, I think /usr/share/qemu [15:10] hallyn_: i should have an updated libvirt for you today...if my uploads to the ppa wouldnt timeout [15:10] zul, Would your updated libvirt be actually tested with xen? [15:11] zul, As it is segfaulting fight now [15:11] smb: nope i dont have xen installed [15:11] smb: 1.2.0? [15:11] zul, May I slap you a little bit? [15:11] smb: no :) [15:11] Wishful thinking [15:12] you can wish for a little bit longer then :) [15:12] Nothing to do with libvirt upstream as with a mis ported patch of mine [15:12] doh [15:12] smb: well patches welcome [15:12] Right now I got it to be ok with xl stack but not working yet with xm [15:13] Theoretically we should move to xl as default anyways [15:13] Though xl has pxeboot issues [15:13] smb: yeah if you want tested with xen beforehand i think you need to have zul ping you when he's merging, as he does me . (cause i' not gonna test xen either :) [15:14] hallyn_, That would be some progress at least [15:14] :-P [15:14] Better than to find out when I actually want to do something else [15:14] hallyn_: maybe we should keep smb in the loop when we merge a new version [15:14] zul, bug 1259203 [15:14] Launchpad bug 1259203 in python-wsme "require versioned dependency on python-six" [Undecided,New] https://launchpad.net/bugs/1259203 [15:15] zul, Thats what he said [15:15] jamespage: arrgh [15:15] zul, translating US to CA... ;) [15:15] or vice versa [15:15] smb: yes we actually use english ;) [15:16] zul, So give me a sec. The patch might not yet be good but better than before [15:16] smb: ack [15:16] jamespage: on it [15:16] zul, good man! [15:16] zul, they don't need an immediate upload btw - they can wait for other things [15:17] zul, chinstrap:~/smb/ubuntu-xend-probe.patch [15:17] jamespage: ok i talked to mterry about webtest its on his todo list for today [15:17] zul, thanks [15:17] zul: sounds worthwhile :) (keeping him in the loop) === wedgwood_ is now known as wedgwood [15:18] jamespage: also ill have a nova merge for you shortly (just buidling locally for any surprises) [15:18] smoser`: did you have a chance to check out that script? [15:18] zul, ok [15:19] zul, If you can point me (or drop me) your 1.2.0, I can switch fiddling around with that [15:19] smb: https://launchpad.net/~zulcss/+archive/libvirt-1.2.0 [15:20] zul, thanks [15:20] lfaraone, i'm sorry. its on my todo list.. i just wrote it there again today :) [15:20] lfaraone, link ? and i'll take a quick look now. === smoser` is now known as smoser [15:21] smoser: neat, thanks. https://bazaar.launchpad.net/~lfaraone/+junk/configure-interfaces/view/head:/configure-cloud-interfaces [15:21] lfaraone, fwi, there is '#cloud-init' channel also [15:22] not that your comments are inappropriate here [15:22] but that they my be more appropriate there. [15:24] k, joined. === freeflying is now known as freeflying_away [15:38] jamespage: https://code.launchpad.net/~zulcss/nova/icehouse-sqlalchemy/+merge/198278 [15:47] yolanda, the problem is that openstack does not have the same concept as apache [15:47] jamespage, zul, so my thought about a var in config file also, is that the way that openstack is deployed, with puppet or other tools, will make that this var is just ignored [15:47] I'd prefer that we have something config driven so that users can disable it - but that might not meet the objectives for this blueprint [15:47] people won't be adding any extra vars [15:47] as its easily disabled [15:48] yolanda, well you could have a sane default [15:48] mm, but then it will be done in runtime [15:49] if i check if var is not set,and then check for distribution... it will be wasting a lot of time [15:49] yolanda, for example platform.dist() return a tuple of useful information [15:49] but that's runtime, right? [15:49] yolanda, yes [15:49] so imagine that extra call for each api call... [15:50] i don't think that's a good idea [15:50] its probably cached [15:51] or maybe not [15:51] yolanda, I agree that sucks [15:51] and setting a var in keystone.conf will be mostly ignored, don't you think? [15:52] problem on what i did now is that is not easily movable upstream [16:03] so jamespage, zul, what alternatives do we have? [16:04] yolanda: i still think if you do keystone --version thats good enough [16:04] but that's not the objective for server banners [16:05] true but its not always a good idea to do it in server banners [16:06] mm i checked with jamespage and we decided that this wasn't good, so we need some agreement [16:39] hello [16:39] in terms of monitoring cpu utilization, should one focus on %sys or %idle and or %soft? [16:57] on cpu load, should i really care about %idle versus anything else? how about si or hi? [17:05] roaksoax: ping maas doesnt use beautifulsoup does it? [17:06] zul: np[e [17:06] nope [17:06] roaksoax: awesome === freeflying_away is now known as freeflying [17:42] Daviey: ping [18:00] zul: all right, qemu 1.7 working for me. if you want to look at it before i push to trusty, shout [18:00] oh wait, gotta look for a new version of linaro patchset. heh. [18:00] hallyn_: sure why not [18:00] hehe [18:01] zul: ok, it (without linaro patchset) is in github.com/hallyn/qemu branch ubuntu_1.7.0+dfsg-2 [18:12] so zul, jamespage, i'll need some feedback about it. We have several options, not sure what will be best, also smoser sent some feedback: https://code.launchpad.net/~yolanda.robla/keystone/icehouse_fix-distribution/+merge/198275 [18:13] yolanda, was i wrong ? [18:13] surely something loaded in that wsgi.py is only loaded once, right? [18:13] but it should be loaded on every api call [18:13] no... [18:14] are you saying you'd want it to be ? [18:14] or are you saying that wsgi.py will actually be loaded by python on every api call [18:14] i could be wrong, but i surely wouldn't expect that it would be. and if it is, we can find somewhere else to put the DISTRIBUTION [18:15] smoser, i think wsgi should be loaded on each api call [18:15] but i'm not sure at this moment anyway [18:16] also we were discussing about using a config var for it [18:16] sure. config var is no different. i'm fine with that. [18:16] if you have something up, you can easily check if wsgi.py will be loaded on every call. [18:16] problem with config var, is as openstack is normally deployed using puppet or other tools, won't be easily used, people willl override it [18:17] you just do open("/tmp/mfile.txt", "w+").write("loaded") [18:17] one solution that jamespage also proposed, is to set that in config, and it not present, default it with some python call (for example the approach you told) [18:17] and if every api call gets appended to that file, then i'm wrong [18:17] yes, i was thinking in testing it [18:17] also zul suggested just to patch the --version call, so we have several alternatives [18:18] personally, i might just do it like a "config" that is a dict [18:18] and allows you to specify 'X-Distribution: foo-bar' [18:18] as well as [18:18] I have a server using a near-offset mdraid 1 I need to convert it to a far-offset raid 10. There don't see anyway to do this without basically taking the machine down for a full rebuild and copying the data over. any better suggestions? [18:18] 'X-GoCubsGo: cubswintoday' [18:19] and update the dict with the config value [18:19] ie, it doesn't 'have to be distribution specific at all. [18:19] just "additional headers" [18:20] smoser, and also you would add a section in .conf files for that? [18:22] well, a config variable. [18:22] so you'd ether have a config variable value tha tis then an array (or dictionary)... I think there are some values that are ',' delimited [18:22] already [18:22] ie, which have been 'shoved' into a single string [18:23] or you can just refer to a file that has this data in it json encoded. [18:23] the file reference is what I did for "vendor data" in openstack. [18:23] s/openstack/nova/ [18:23] https://review.openstack.org/#/c/37964/ [18:28] that might be overkill here. as may be my generic "additional_headers" [18:28] but it is very functional [18:32] ok, i'll take a look [18:57] a.net [18:57] Hi. What ftp server do u suggest? So Users could upload to /var/www/servers/ ? [18:58] Preferably users without shell and access to upload only to /var/www/servers/user1/ ? [18:58] frojnd: ftp is a horrible protocol, I'd rather offer sftp through sshd. [18:59] anyways if that filezilla supports I'm good with it? [18:59] it does.. [18:59] Ok So I have only 2 demands. User can not ssh to server but is able to upload to /var/www/servers/user1/ directory and all subdirectories [19:00] Also this directory has following rights: drwxr-xr-x 10 www-data www-data [19:00] This means only www-data is able to write [19:01] frojnd: look at sshd_config(5), especially ForceCommand and internal-sftp [19:02] frojnd: I'd change the directory's owner and group -- you do not want your web server to be able to write to this directory, do you? [19:03] Nope. What is the common group user for websites on ubuntu? [19:04] I'd make a new group, myself, since I don't care for the use of www-data for both the webserver process -and- the webserver data files. [19:14] sarnold: if i want to allow ext* and xfs mounting, do you know offhand if i can just say "mount fstype=ext* xfs," ? [19:16] hallyn_: try "fstype in (ext*,xfs)" -- though you might need (ext2,ext3,ext4,xfs) ... [19:17] sarnold: in an apparmor profile? [19:17] (the 'in' seems out of character) [19:17] eh, i'll just list them out - clearer anyway. thanks :) [19:18] hallyn_: yeah, the 'in' was introduced because 'mount' is funny -- we wanted something more flexible than "this exact set of options" to allow "anything in this list of options". so 'in' was introduced. [19:18] in what release? [19:18] sorry, I don't recall. [19:19] sigh I need to set up some more-featured chroots, 'bash: man: command not found" ... [19:21] yeah i need to tweak my canonical-containe-creation scripts to add things like that, as well as divert dpkg [19:21] not today :) [19:21] :) [19:22] .. when waiting six seconds for a vm to spin up and ssh in is just too painful .. [19:24] stgraber: well that was weird. [19:24] hallyn_: looks like precise has the mount 'in' rules. Not lucid, no real surprise there I guess. [19:24] on 3.12 kernel, i did 'dd if=/dev/zero of=xxx bs=50M'. when it got to 5.5G i ran out of disk [19:24] sarnold: do you have a link to docs on it? [19:25] dude htis happens on host too [19:25] hallyn_: nothing better than apparmor.d(5), sorry: http://manpages.ubuntu.com/manpages/precise/en/man5/apparmor.d.5.html [19:25] oh, heh. i see what i did there [19:26] well, i need a reboot. biam [19:26] .. you actually ran out of disk, right? :) [19:28] yup [19:38] stgraber: when you get a chance could you look at my debdiff to https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1257389 ? [19:38] Launchpad bug 1257389 in maas "cannot run maas-import-ephemerals inside lxc container" [Undecided,Confirmed] [19:40] jamespage: silly question.. but do you think it would be better to rename maas-region-controller-min to maas-region-controller-common? [19:42] hallyn_: do you actually need to allow nesting in the -with-mounting profile? [19:42] stgraber: not necessarily, but since you can't "combine" features, i thought i'd go for the lowest common denominator [19:43] smoser: the containers wher eyou'd want to mount blockdevs, you wouldn't be using cgroups there right? [19:43] hallyn_: I think it'd be best to have the with-mounting profile only allow mounting and not allow nesting (so drop start-container, cgroup, proc, sys and the rw,bind of dev/shm) [19:44] hallyn_: if someone actually wants both, they should just add an extra profile which includes both with-nesting and with-mounting [19:45] hallyn_, um... i don tthink so, but i'm not sure. [19:48] stgraber: ok will update the debdiff on the bug [19:49] stgraber: are you pushing soon to trusty with your new config layout? [19:49] do you want to just add this to your upload if so? [19:51] hallyn_: next upstream push will be next Tuesday with the release of beta1 [19:51] (17th) [19:53] i have a small USB (500mb) drive, is there any way to install ubuntu server? online instalation or something? [19:54] hi i have some problem to receiving mail on my postfix/dovecot server... [19:54] http://paste.ubuntu.com/6547378/ [19:55] TeraJL: I've got to run out the door.. but perhaps try one of the 'mini' images on your usb stick, just dd the thing, that might do a live instance for you in the tiny space.. [20:02] stgraber: all right i'll push lxc with that fix, then. i'll work upstream for the lxc-ubuntu-* template option to specify apparmor profile. (if i can think of a good way to specify one) [20:07] hallyn_: I just applied a commit from caglar that adds that kind of documentation to ubuntu.common.conf, so you probably just want to add a section in there. [20:10] ok [20:20] no one to help me? [20:23] fuga: it is extremely probable that your ISP is blocking port 25 [20:24] fuga: try telneting from a *remote* host that is nowhere near you, like from a amazon ec2 micro instance or something back to your ip:25 with postfix running [20:25] my port are open...i've already a web server on the same computer using port 80 and i have opened 25 and 143 by the same way [20:26] fuga: true, most ISPs allow you to open port 80 and host a page no problem; port 25 is another matter, though. port 25 and an MTA leave you wide open with the standard configs as a spam relay host, which will trash your IPs reputation, and by proxy of that your ISP [20:30] on my ISP/modem i have open the port..it's possible the portsstill close despite this? === freeflying is now known as freeflying_away [20:32] fuga: yup; email is a horrible dangerous game to play, and most ISP's don't want to see their customers bandwidth get aggregated to the hilt with spam traffic to some subscribers open MTA [20:33] how can i do to have my domain email adress....like john@mydomain.com? [20:33] fuga: just trust me on this one, but give up trying to run your own mail server out on the open internets; it's fine if you want to *send* email to remote SMTP servers, just not receive [20:34] fuga: you can, off the top of my head, use google apps; go daddy and most of the big registrars as well will host email for your domain [20:35] di you have some help links for me? [20:35] go daddy? i don't understand... [20:35] fuga: godaddy.com [20:36] ok just...it's a free solution? [20:36] because money it's a problem to^^... [20:36] fuga: probably not; there was a time when google apps was free, and that is when i got in, but i don't know if it is free any more [20:36] question, why is it that Ubuntu Servers guided LVM install creates a sperate ext3 /boot partition? Why isnt it part of /roots' logical volume or at least its own logical volume, why ext3? [20:36] ok i look that [20:37] is it to make the boot partition easier to access? [20:37] ScottNYC: that is probably an old doc; regardless, separating your partitions is always a good idea; particularly between variable and non-variable data [20:38] ScottNYC: mostly it has to do with old versions of the boot loader (grub) and its idiosyncrasies regarding what types of partitions and whatnot it could read the boot stuff off of; my understanding now is that Grub2 can access pretty much anything, to include inside a mdadm raid array [20:39] ScottNYC: And i am almost certain that there was a time when grub could not access partitions inside of LVM for the stage2 file [20:41] yeah that makes sense, thx rdw200169 [20:53] I'm going to attempt to configure my iptables for ubuntu server, but I'm worried I'll end up locking myself out or screwing up the rules. This paste is basically two examples I found mashed up together into one (with an extra part at the bottom I'd manually add). Can anyone tell me if this will work or give me advice on how to improve it? http://pastebin.com/EsR9ZFpH [20:54] sarnold: I've used internal-sftp [20:55] sarnold: the problem is that when I try to login with newly created user that has only rights in /var/www/server/this_server he can also see other stuff [20:56] He can only write or do stuff in /var/www/server/this_server but still... I thought I've chrooted it properly [21:07] One newbie question. Let say I chroot sftpuser. Can this chrooted user still have access to read other directories? [21:07] if other directories have -r flags for other? [21:10] frojnd: Depends on where they are. [21:10] soren: if they are in /var/www/servers/server1/ ? [21:11] I'd like to create a sftp option for one user that wish to upload new stuff for site [21:11] directly to site [21:12] And I already this is a bad ieas since now while I'm testing it I can locate .crt, .key, .csr files [21:12] frojnd: WEll, they can only access things that are in the chroot. [21:12] soren: but I can go out of there [21:12] I can actually go to / [21:12] frojnd: Then you're not chrooted. [21:12] hm [21:12] That's what chroot means. [21:12] It redefines the meaning of /. [21:12] Yeah, I thought so [21:13] First I've created user: sudo useradd --home-dir /data/incoming --no-create-home sftpuser [21:13] ANd then add a passwrd. [21:13] So if you have a process that's been chroot('/var/www/whatever')'ered, that process will see /var/www/whatever as its /. [21:13] mhm ok I understand [21:13] I fucked something up on the way then [21:14] It won't see "/var/www/whatever" mentioned anywhere and just be blocked from going further up (or down, whichever way you typically visualise it) the tree. [21:14] anyways after creating a new user without shell I've chown already created directory: sudo chown /var/www/servers/server1/public_html [21:14] So when you say it can go to /, what do you mean? [21:15] It can actually go to / :) and go to /home/ and see all the users with shell [21:15] it can also go to /etc/nginx/ssl :P [21:15] Ok. [21:15] so I must have mispeeld or did something wrong [21:15] What did steps did you take to attempt to chroot it? [21:15] ok [21:15] 1) created a user: sudo useradd --home-dir /data/incoming --no-create-home sftpuser [21:15] 2) gave it a password.. [21:16] 3) chowned dir: /var/www/servers/server1/public_html [21:16] 4) edited /etc/ssh/sshd_config to look like this: Subsystem sftp internal-sftp [21:17] and added this: http://sprunge.us/LIhG [21:17] And after it I've restarted ssh service [21:18] and I found something.. [21:18] I made a typo :S [21:18] Can you paste the output of "ls -l..." [21:18] oh [21:18] Never mind, then :) [21:18] in sshd [21:18] let me try it [21:19] yeah [21:20] it was a typo, I didn't properly wrote sftp username in sshd [21:20]