[00:33] <jo-erlend> small favour: can someone see if I have port 22 open on schinstad.no?
[00:33] <TJ-> jo-erlend: Doesn't look like it
[00:33] <sarnold> jo-erlend: no response yet, feels like it's set to DROP
[00:35] <jo-erlend> wt... Why does openssh-server suddenly break? This is the second server I've experienced this with since 12.04.4.
[00:35] <jo-erlend> it used to work properly.
[00:36] <TJ-> It's never broken in my experience, unless someone 'tweaked' it
[00:36] <jo-erlend> ah.. I've never actually tested from outside my network. Perhaps it's the ISP... Maybe I was a bit hasty :)
[00:36] <sarnold> are you travelling? mine breaks most often when I'm travelling :) hehe
[00:39] <TJ-> Best to use a VPN and ssh and everything else through the LAN tunnel
[00:40] <jo-erlend> By default, openssh-server should listen on all interfaces regardless of IP, right?
[00:40] <sarnold> TJ-: in my case it's just flaky hardware that sometimes needs a reboot. pandaboards are neat but "five nines" isn't in their vocabulary :)
[00:40] <jo-erlend> ah! Haha, no, it's my fault! I forgot to forward the ports... That was embarassing. :]
[00:41]  * TJ- rolls eyes :)
[00:41] <jo-erlend> I have two different networks at home right now. I forgot that one of them is NATed :)
[00:42] <sarnold> hooray :)
[00:42] <TJ-> sarnold: really? I try to ensure the gateways are super-reliable... powered off 12V lead-acid batteries, 3G back-up for the VDSL, two of them ... belt and braces :)
[00:43] <sarnold> TJ-: very nice :) my main priorities were "I'd like it to be silent and draw nearly no power", which the pandaboard does very well.
[00:43] <sarnold> TJ-: I just hadn't expected it to be so much less reliable than a regular PC.. oh well, some day I'll find a suitable replacement for the thing. :)
[00:43] <TJ-> sarnold: same here, 15W
[00:43] <jo-erlend> I read about the IGEPv5 the other day. Seems very interesting.
[00:43] <TJ-> sarnold: Zyxel VMG8924
[00:45] <TJ-> At some point I'm hoping to re-spin the firmware to be based on Debian or even Ubuntu (MIPS CPU) but for now using a slightly modified Zyxel base. Probably get there in a year's time :)
[00:46] <sarnold> TJ-: heh, MIPS ubuntu might be some work, but debian, sure.. the UBNT folks already have a tiny mips debian router that looks cute..
[00:47] <TJ-> I've got cross-builds of userspace already, it's figuring out the Zyxel firmware and being sure I don't break it. Been getting the JTAG stuff ready. There's an ISP in Denmark contacted me, wanting to put openwrt on them... I might take the challenge :)
[00:47] <sarnold> TJ-: oh, okay, you're well ahead of the game then :)
[00:48] <TJ-> Like everything,  its finding the time
[00:48] <sarnold> yeah
[00:48] <sarnold> see also: working on sunday afternoon...
[00:48] <TJ-> Monday morning here!
[00:48] <sarnold> ugh :) sorry to hear it! hehe
[01:02] <jak2000> hi all
[02:40] <ohmygoshjosh> Can someone point me to some resources on best practices for running a daemon as another user?  For example, I am running "play framework" on an ubuntu box as the user "play" but I can't invoke the binary without using sudo?
[02:41] <ohmygoshjosh> Note that this user is defined with a /bin/false shell
[02:41] <Titanium> i have this script that is running using init.d, and it does not work. When i run it as root from my useraccount it works.
[02:41] <Titanium> i dont see what would be different
[02:41] <ohmygoshjosh> funny, we have pretty similar questions.
[02:41] <TJ-> Titanium: environment
[02:43] <Titanium> is there some way to run  it as root using my username?
[02:43] <Titanium> from root?
[02:43] <Titanium> not sure what to ask
[02:45] <TJ-> No, fix the script. Probably the script isn't using absolute paths to binaries/scripts it calls, or expects some environment variable to be available, that isn't
[02:45] <TJ-> e.g. PATH is very different for $USER compared to the basic shell at startup
[02:46] <Titanium> it runs a program that crashes a lot
[02:46] <Titanium> and re-runs it when it crashes
[02:46] <Titanium> that program fails after it starts
[02:46] <Titanium> but it runs it just fine :(
[02:46] <ohmygoshjosh> is it possible to execute a bin as a user whose shell is /bin/false?
[02:46] <TJ-> Why does the program crash?
[02:47] <Titanium> its porrly written
[02:47] <Titanium> poorly
[02:48] <Titanium> i have a script i can run and it works fine. I was looking for a way to automatically run this at boot
[03:34] <prgCoder> hi all, i am new to ubunu server - is there any easy to install tools that are like YAST for SuSE ?
[03:37] <TJ-> prgCoder: The apt tools, the main one being apt-get. Try "man apt-get" .... you can also check on available  packages using "apt-cache" ... always check the man-pages, Debian/Ubuntu are very hot on providing useful man-pages for every tool and most major config files
[03:42] <prgCoder> TJ-:thanks - but what about tools to configure the network, or cups (printers), or user accounts, or filesystems - is this all command line only - or it there character based menus ?
[03:43] <TJ-> it's all command line.
[03:43] <TJ-> see for example https://help.ubuntu.com/12.04/serverguide/network-configuration.html
[03:48] <prgCoder> ok - bit backward
[03:58] <prgCoder> what about when ubuntu server is installing, is there any of those semi-gui tools available after the install ?
[04:07] <jak2000> apache question: ServerName midomain.com and ServerAlias www.midomain.com   its correct?
[04:30] <jak2000> when reload apache2 service i get this warning: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName   how to remove? thanks
[05:14] <Titanium> whats with disableing my system information when my load average gets above 10 ?
[05:14] <Titanium> if it was below 10 i would be expecting problems...
[05:14] <sarnold> what's "system information"?
[05:15] <Titanium> when you ssh in
[05:15] <Titanium> that stuff it shows like the IP and load average
[05:15] <sarnold> ah!
[05:15] <sarnold> I hadn't realized that went away with higher load average. you're right, it'd be more useful when it is high.. hehe. it might be so you can get to a # more quickly and fix things..
[05:16] <Titanium> yeah, probably
[05:16] <Titanium> but 10 seens way too low a setting these days with a dozen cores per cpu being common
[05:17] <Titanium> its probably easy to change, i just need to look
[07:13] <hxm> hello good morning
[07:13] <hxm> in your experience, what is the best way to backup your server?
[07:13] <hxm> linking dropbox?
[07:15] <sarnold> hxm: investigate rsnapshot, duplicity, tarsnap
[07:16] <hxm> thank you
[07:16] <cfhowlett> hxm, good question for #ubuntu-server channel
[07:16] <hxm> sorry if I annoyed, was not my intention
[07:16] <cfhowlett> hxm, no no , just thought they might have an answer for you
[07:16] <cfhowlett> !server
[07:17] <sarnold> hxm: oh yes, also look into amanda and bacula
[07:17] <hxm> i know you all are very experienced and quite expert in this, in fact this is my favorite channel
[11:23] <hxm> should do I care about this? update-rc.d: warning: /etc/init.d/copyconsole missing LSB information
[11:54] <cocoa117> when a network device was set with IP address but no broadcast address does this mean, the kernel won't respond to any broadcast received on this particuular network dev?
[12:01] <alami> hello, wehre can i find dns entry in my ubuntu dns server
[12:02] <cocoa117> alami, what version of ubuntu u got?
[12:03] <alami> 12.10
[12:05] <cocoa117> cat /etc/resolv.conf
[12:05] <cocoa117> if it is server
[12:05] <cocoa117> not a desktop
[12:05] <TJ-> alami: What do you mean by "DNS entry" ... the upstream DNS resolvers, or its own fully-qualified domain name?
[12:06] <alami> i'm looking for somthing end with txt
[12:07] <makara> curious
[12:07] <makara> what are you trying to achieve?
[12:11] <TJ-> alami: https://help.ubuntu.com/12.04/serverguide/dns-configuration.html
[12:16] <ccha2> hello I got a zombie process,... this process binded a port, but right now the port still used
[12:16] <ccha2> how can I free up this port with reboot ?
[12:17] <ccha2> since it a zombie process now, I can't kill it
[13:13] <vedic> I have full access to remote server but for certain things I want to allow access to certain directories to few other users as well. For this I have created multiple private key/public key pair. Can I restrict access in authorized_key using "command="? Note that I have not created multiple users but a single user without multiple keys
[13:14] <vedic> Does "command=" works for per user or per key?
[13:21] <vedic>  have full access to remote server but for certain things I want to allow access to certain directories to few other users as well. For this I have created multiple private key/public key pair. Can I restrict access in authorized_key using "command="? Note that I have not created multiple users but a single user without multiple keys
[13:24] <pmatulis> vedic: well, 'command=' is in a public key file right?  so, per key
[13:26] <vedic> pmatulis: ok
[13:27] <vedic> pmatulis: Thanks
[13:32] <pmatulis> vedic: will a sftp chroot be sufficient here?
[13:42] <vedic> pmatulis: I want the user to limit access to certain directories only
[13:43] <pmatulis> vedic: sftp chroots can do that
[13:44] <vedic> pmatulis: What is the advantage of multiple user-multi keypair vs single user each having key pair
[13:44] <vedic> single user account accessed by multiple developers using their respective keys vs multiple user accounts on the server and each user has its own key pair
[13:44] <vedic> This is for setting up a repostory
[13:46] <tomixxx3> hi, what does it mean, if i set "gateway" to the same ip address as "address" ?
[13:46] <tomixxx3> (in "interfaces" file)
[13:48] <pmatulis> vedic: what kind of repository?  what do the connecting users actually need to do?
[13:48] <vedic> pmatulis: bzr+ssh
[13:53] <TJ-> vedic: have you considered integrating something like gerrit (code review) into the workflow, so that it manages the canonical repository, and develops each push to gerrit and pull from gerrit and each-other?
[13:58] <vedic> TJ: I have my code repository on remote server. I want to allow some of my friends access to that bzr repository. For this, I am thinking of should I create multiple users each with ssh access and limit their ability to do things via "command=" in authorized key or should I create multiple key pair without actually creating multiple users
[13:59] <pmatulis> vedic: what about just not allowing shell access (nologin)?
[14:00] <vedic> pmatulis: they won't be able to push and pull the code to/from repository.
[14:00] <vedic> pmatulis: You mean something like: sudo useradd -r -s /bin/false USERNAME
[14:01] <vedic> I am not sure ssh will execute any remote command without shell access
[14:14] <TJ-> vedic: With DVCS I prefer not to allow multiple users write access to the same repo, having a gatekeeper in the form of a single developer, or a code-review and integration tool, is my preferred method
[14:15] <SlidingHorn> Can someone elaborate on why php/apache run as privileged users by default & how to secure that without jumping through hoops?  lol
[14:15] <TJ-> vedic: I'd allow each dev there only cloned branch and use push/pull/merge workflow to integrate into a canonical project repo
[14:15] <SlidingHorn> (sorry to cross post...forgot there was a server room of its own)
[14:16] <vedic> TJ: any tutorial on that which you can refer?
[14:17] <vedic> TJ: Yea, but why not allow multiple users to commit, push, pull and merge to a shared repo? We can always create a new branch 'release' on which only one devloper has access and that branch goes to production
[14:17] <TJ-> vedic: Depends on which workflow you mean ... setting up multiple independent developer repos is just a case of doing for each what you'd do for one, the rest is just the actual workflow the devs follow
[14:17] <TJ-> vedic:  why not? Because there is abundant history of that causing major breakage of repos. The whole point of DVCS is to get away from that centralised model
[14:18] <vedic> TJ: Ok, so everyone clone the main repo and push/pull/merge into their own local repo. When they think all is well, it is pushed to main?
[14:20] <vedic> TJ: or you are saying main => [everybody clones this] and then dev goes in their local repo and when they think its good to go, it goes to gatekeeper repo and gatekeeper reviews it and push to main?
[14:21] <TJ-> vedic: Your second scenario, yes
[14:22] <TJ-> vedic, That the scenario where the gatekeeper can be a tool like gerrit, potentially hooked into a CI tool like jenkins too
[14:22] <vedic> TJ: I see
[14:23] <vedic> TJ: gerrit doesn't seem to work with bzr
[14:23] <TJ-> vedic: Probably not, bzr is becoming abandonware last I read, most people use git or mercurial
[14:24] <vedic> TJ: Ubuntu uses bzr ?
[14:24] <TJ-> vedic: Indeed... see the problem?
[14:24] <vedic> TJ: like what
[14:26] <TJ-> vedic: a good read: http://www.stationary-traveller.eu/pages/bzr-a-retrospective.html
[14:32] <TJ-> vedic: Also this from a Canonical bzr developer about internal workflow: "I started off with some fixes to the developer documentation. This got me used to the process that you can not commit directly to bzr’s trunk, instead all committers are required to make merge proposals on Launchpad, have those approved by a fellow developer, then send it to a programme called Patch Queue Manager which will integrate the patch and run the test suite to check everyth
[14:32] <TJ-> ing still works." ...  http://blog.bazaar.canonical.com/?p=383
[14:38] <SlidingHorn> no suggestions / answers on the php/apache thing?
[14:44] <TJ-> SlidingHorn: You need to be more specific, apache/php by default do not run as the privileged user. apache runs as user www-data.
[14:50] <SlidingHorn> TJ-,  aren't user & group IDs under 100 privileged?  php is running as 33
[14:51] <vedic> TJ: I have been using bzr for some time and I never found any issue. Its simple to use, revision numbers are human friendly and less number of commands
[14:51] <TJ-> SlidingHorn: no, privileged usually means the root user, that can read/write anywhere regardless
[14:52] <SlidingHorn> TJ-, so phpsecinfo is likely being overly sensitive in its scan?
[14:54] <TJ-> SlidingHorn: Sounds to be a bad report entirely if it classes a low UID as somehow privileged
[14:56] <SlidingHorn> TJ-, yeah...their exact explanation is: "User IDs under 100 are generally reserved for privileged/system users. If PHP executes as a userid under 100, it may have access to read or manipulate system files."
[14:56] <TJ-> That is a very poor summary!
[14:56] <TJ-> So poor as to be factually incorrect
[14:57] <SlidingHorn> TJ-,  I've been worrying about this for a couple days...stopped progress on a project for it, lmao
[14:57] <TJ-> if the apache process is running as www-data:www-data then it will only be able to access resources that allow those... plus any resource that has o+rwx
[14:57] <TJ-> SlidingHorn: You poor thing... send them the bill for your time and grey hairs!
[14:58] <SlidingHorn> I can't bill them for my ignorance...I'd be a rich man...
[14:59] <TJ-> we wish :)
[14:59] <TJ-> But the message is factually incorrect, in fact it is so bad - for a security scan tool - as to make me not want to touch that tool at all
[15:00] <SlidingHorn> TJ-, any suggested alternatives?
[15:02] <TJ-> SlidingHorn: On Linux... I've never needed to worry ... although I stay away from php packages as much as possible since the code quality of many projects isn't high
[17:38] <simpleirc1> hello
[19:15] <parallel21> Is there a way to recover just filenames without recovering an actual file?
[19:29] <RoyK> parallel21: no
[20:36] <mdeslaur> roaksoax, hallyn: If all goes well, I plan on uploading virt-manager 1.0.0 before feature freeze...any objections?
[20:46] <hallyn> mdeslaur: nope, thanks
[21:14] <roaksoax> mdeslaur: not on my side! Thank you!
[21:16] <med_> smoser, jamespage, roaksoax, zul:  I see 12.04, 12.04.1, 12.04.2 at http://old-releases.ubuntu.com/releases/ but not 12.04.3. Is that by design since raring had such a short support life or is it an oversight?
[21:16] <med_> (only 12.04.4 on the main download site)
[21:23] <brendan`> anyone set up an ldap & samba4 server as a DC? on separate boxes with 12.04 and able to point me to a quality guide
[22:59] <tomreyn> is it common nowadays to manage a servers' network connection using network-manager?
[22:59] <tomreyn> or would you recommend keeping it simple with just ifconfig / iputils
[23:00] <sarnold> tomreyn: I'd avoid network-manager, stick with /etc/network/interfaces and friends
[23:00] <tomreyn> After this operation, 462 MB of additional disk space will be used.
[23:00] <sarnold> (though I haven't yet found a way to configure /etc/network/interfaces to bring up multiple IPs on one interface. bah.)
[23:00] <tomreyn> i tend to agree
[23:01] <tomreyn> i think the usual way would be to add the additional ip addresses using "post-up" (or whatever that trigger is called) calling the "ip" command
[23:03] <tomreyn> so you'd add "up ip addr add 10.4.2.1/32 dev eth0" to your "iface" section in /etc/network/interfaces
[23:03] <tomreyn> but i only tried this on debian squeeze, where it works fine
[23:06] <sarnold> tomreyn: I guess that beats dragging around shell scripts; it's nice to know it works fine :)
[23:07] <tomreyn> :)