=== thumper-gym is now known as thumper [00:33] I am unfamiliar with the process, how is Canonical able to provide timely security patches to all the packages in the system (tens of thousands)? [00:37] ankraft: canonical provides security updates for packages that are located in the 'main' pocket of the archive; we rely upon community members to prepare and test patches for packages in the 'universe' pocket: https://wiki.ubuntu.com/SecurityTeam/FAQ [00:39] ankraft: every weekly security team meeting we highlight several packages in universe that need attention, e.g. https://wiki.ubuntu.com/MeetingLogs/Security/20140303 [00:40] ankraft: sometimes we can simply roll forward an update from debian, those show up as 'sync match' on this chart: http://people.canonical.com/~ubuntu-security/d2u/ [00:42] thanks! I can't seem to find the list of packages in a release's main (my google skills appear to be broken atm). Where is the list located? [00:43] hrm, good question. [00:43] (in general if it is on a disc it should be in main. i'll go hunting around to see if I can find a full list.. we use a tool that's not packaged and not really convenient for users when determining if a package is in main or universe) [00:52] ankraft: aha! found it. try: apt-cache madison apt [00:52] ankraft: compare against apt-cache madison rxvt-unicode [00:53] it's not exactly a list, but it is convenient enough, and can be scripted around dpkg -l or apt-cache pkgnames [00:56] perfect! [00:57] there appears to be quite a few packages in main. Still seems like a massive effort to keep them in check. How large is Canonical's team to maintain all the packages? [01:00] tftp Transfer timeout .. tcpdump does not show any reply on udp port 69 .. tftpd-hpa server not seeing any log.. no firewall on [01:00] nc -u -l 69 and from client tftp; get foo shows logs.. so networ is OK [01:01] tcpdump on the server only pkts coming in.. nothing going out [01:03] ankraft: there are seven of us on the security team; one handles web browser things nearly full time, three handle apparmor things nearly full time, the rest handle updates, auditing, other platform security improvements, etc [01:06] sarnold: interesting. Do you know if Debian has a full time security team or do they strictly rely on community support? [01:07] ankraft: good question, I've never asked. those guys are productive enough I suspect that at least one or two of them must do some of their duties at an employer [01:10] sarnold: so it is pretty silo'd then between debian and ubuntu teams for security patches (other than the sync match you pointed out earlier). Or is there a lot of overlap and working together on issues? [01:12] ankraft: if debian has prepared a patch before we have, we can often use their work for our packages; likewise, if we prepare a patch before they do, they can often use our patches. And we double-check each other's triaging efforts, which is very convenient because the archives are -huge- and sometimes a package that contains duplicated code is overlooked in one or the other place [01:35] sarnold, ankraft: that is selling short the kernel side. We have three members of the kernel team dedicated to doing stable kernel updates, and since most stable kernel updates involve security fixes we get a lot of work from them [01:36] jjohansen: oh! yes, indeed I had overloooked the kernel more or less completely. [03:26] I would like to ask . I add secound interface eth1 which not same network and gateway with eth0. [03:27] add in /etc/network/interfaces . [03:27] interface up . ping gateway2 is ok ... but route not show [03:29] anyway to check ? [03:29] densin, port_forwarding enabled? [03:30] sysctl -p [03:31] no ,I not mean to do fw or proxy .. I have separate service bind diffrent interface [03:32] do I need to route add gw manualy with diffent metric ? [03:43] amm not work === Ser|Away is now known as Sereil === Sereil is now known as Ser|Away === soren_ is now known as soren === a1berto_ is now known as a1berto === ogra_` is now known as ogra === hachre_ is now known as hachre === dcmorton_ is now known as dcmorton === jrgifford_ is now known as jrgifford === Sprockt is now known as Sprocks === Seveaz is now known as Seveas === fhd_ is now known as fhd === ValicekB_ is now known as ValicekB [12:49] hi, I'm trying to implement pam_google_authenticator into my server, but i'm not sure the *correct* pam configuration file to place it in [12:49] I think it'd be either common-auth or common-account, though both seem included everywhere one is included [12:49] so maybe it doesn't matter? [12:50] anyhow, I'd like it to be used everywhere a normal password would be otherwise, at the console, ssh, sudo, su, and with it in common-auth it is [12:50] I just don't want it to block non-interactive things, cron, I see one for dovecot, etc etc, any ideas? [12:56] is the GNUTILS bug patched in ubuntu 12.10? [13:03] yes [13:03] or well, is 12.10 even supported? [13:04] april 2014, so yes, you just bearly made it [13:04] lol [13:04] how ironic. I am doing distro upgrades this week [13:04] and GNUTLS bug comes along [13:04] well, your still kindof out of luck [13:04] it was 13.04 they made the change in [13:05] and 13.04 is eol, so no fix there [13:05] 13.10 still uses the 2.12? [13:06] hmm? [13:06] λ ~ → dpkg -s libgnutls-openssl27 [13:06] Version: 2.12.23-1ubuntu4 [13:06] http://gnutls.org/security.html [13:07] you really don't understand distros do you [13:07] I do... 2.12 is considered stable ain't it [13:07] what does the version have to do with anything? [13:08] 2.12.x has a nasty certificate exploit [13:08] says who? [13:09] lets see here [13:09] http://www.ubuntu.com/usn/usn-2127-1/ [13:09] according to that, libgnutls26 2.12.23-1ubuntu4.2 doesn't [13:09] please do note [13:09] these are UBUNTU versions, not gnutls versions [13:10] so using gnutls documentation about exploits is pointless === smoser` is now known as smoser [13:10] ha thank you ;) [13:11] and our nodes already have that version to === RoyK^ is now known as RoyK === Pici` is now known as Pici [14:57] I'm thinking of getting a graphical environment for my home server. I want something lightweight, so I was thinking lxde, especially because I have experience with it on my raspberry pi. Would you recommend something else? Or something more server-oriented? [14:57] GeekDude, lxde or xfce are the ones I have experience with. both lightweights [14:58] would you recommend one over the other? [14:59] GeekDude, pretty much the same look/feel as far as I'm concerned. Note: xfce is the basis for xubuntu AND ubuntustudio FWIIW [15:01] cfhowlett: From what I've read, xfce is only slightly heavier, but with greatly increased configurability/useability [15:01] GeekDude: Did you need a full suite of apps or are you just going to be using 2-3 things all the time? [15:02] ( because even lighter is something more basic like twm then you run your app from an xterm) [15:02] genii: Probably just a web browser, maybe MC if I can get it to install (My box has an agp port, and I just found an agp gfx card, wanna test it) [15:02] I need to be able to test the webserver(s) locally, and lynx just won't cut it [15:04] GeekDude: Alternately, install xvfb and then run X over ssh to your regular box. [15:05] Wouldn't just installing XAuth work? [15:06] GeekDude: xvfb is good for testing because it installs minimal X, also you can tell it to use different resolutions and grab a screenshot, etc [15:07] I think I'm gonna try out xfce [15:08] can someone clear up for me the gnutls bug? Does it effect my servers that serve up ssl certs or client apps that connect over ssl? [15:08] all the articles on it basically just say "your gonna die if you don't patch it!" [15:27] hi there! Question about the new dns configuration in 12.04: I know we're supposed to specify the dns servers in the interfaces file, but what if we have multiple bridges (on a kvm host in this case). Do we need to put the dns-nameservers line in each interface stanza? [15:27] stgraber, I'm sure you're the most suitable person to answer this :) [15:27] your host doesn't need to lookup dns on the bridge [15:28] thanks. So the bond would be enough [15:29] if that's your default gateway for the host, yes [15:30] it is. I thought the dns was setup systemwide [15:30] it is. [15:30] all that happens is ifup eventually calls resolfconf and passes the nameserver config to it. [15:30] assuming you are using resolvconf [15:32] yes, resolvconf. Thanks [15:34] I'm trying to get an enterprise to support running their products on Ubuntu. Do we have any good sourced data on enterprise server use of Ubuntu vs other distributions (RHEL for example)? I'm looking for percentages or a graph etc. [15:37] :D Just got ICS working between my server and my laptop, with the Win7 laptop as the host [15:39] hmm. Trying to set the DNS server, and resolv.conf says not to edit it by hand [15:39] GeekDude, https://help.ubuntu.com/12.04/serverguide/network-configuration.html#name-resolution [15:40] Delemas: there used to be something like that [15:40] ah, thanks [15:40] I just found this which might be good enough: http://w3techs.com/technologies/details/os-linux/all/all [15:40] It is all web servers vs. enterprise use though... [15:41] spidernik84: Thanks. DNS is working now [15:42] np! [15:42] P=!NP [16:04] Uuh, am I missing something, or can I not just do apt-get install xfce [16:05] apt-get install xfce4? [16:08] Why is my terminal only 36 lines tall, when the current screen resolution is 1600x1200? It only takes up 1/4 of the space in the top left corner [16:09] GeekDude: Yes, xfce4 for just the desktop [16:10] oh, nvm. I'm an idiot. [16:10] It's only taking up that much space because I have an s-video cable plugged into my graphics card [16:11] It's showing hi-res in a small area of the screen, as opposed to low res [16:22] hi all. [16:23] how to enable ubuntu (ipv4) can communicate with ipv6 . I seem my ubuntu can't ping ipv6.google.com. [16:23] or event lookup IP [16:35] hi folks [16:44] I'm running 12.04.4 x64. i'm testing the openldap server with JMeter. i added "session required pam_limits.so" in /etc/pam.d/common-session. i added "* hard nofile 65000 | root hard nofile 65000 | openldap hard nofile 65000" in /etc/security/limits.conf. i added "fs.file-max = 65536" in /etc/sysctl.conf. With all these configurations, i follow to have "Too Many Open files" with cat /proc/sys/fs/file-nr > 1696 0 65536 [16:49] so what's the future of upstart? [17:04] metasansana, whatever you make of it :) [17:18] <_root_> hello guys [17:18] * _root_ asks for help on the subject http://askubuntu.com/questions/429743/setting-max-connections-in-mysql-server-globally [17:19] !ask [17:19] Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience [17:22] _root_: isn't that just setting max_connections? [17:23] <_root_> RoyK, I don't know nothing about this; If you know plz explain m8. [17:23] just set max_connections in my.cnf to whatever max you want [17:23] _root_: mysql> show variables like 'max_connections'; [17:24] that'll show the current [17:26] <_root_> RoyK, How to force mysql to create only 3 process for example [17:26] Question: Anyone know how to choose a different typeface for the console? [17:26] _root_: why? [17:27] <_root_> RoyK, Look at the Q? my sql on the new Server install creates 20 processes and eats 50% of memory [17:27] _root_: innodb and myisam have different tuning parameters for the number of threads to be started [17:27] _root_: google a bit about mysql tuning. btw - how much memory is in this machine? [17:27] <_root_> RoyK, innodb myisam? [17:27] <_root_> RoyK, 1GB [17:28] _root_: not a whole lot [17:28] _root_: better tune down memory use for mysql [17:28] <_root_> RoyK, It is a VPS not a DS [17:29] understood [17:29] (but what's DS?) [17:29] <_root_> RoyK, that's what I am asking. HOW to tell mysql to create for example 5 processes instead of 20. (DS = dedicated Server) [17:30] it doesn't matter how many processess it starts [17:30] <_root_> RoyK, nd this is the first time II have this problem. [17:30] it matters how much memory it uses [17:30] _root_: how big is the database? [17:30] <_root_> RoyK, yes; I agree with you. [17:31] <_root_> RoyK, it is not big at all. it is a fresh install. I don't even have a database in my sql right now [17:31] Does ubuntu server come with sound drivers? Or do I need to install alsa or someting [17:31] _root_: pastebin "ps axfv" output [17:31] !pastebin | _root_ [17:31] _root_: For posting multi-line texts into the channel, please use http://paste.ubuntu.com | To post !screenshots use http://imagebin.org/?page=add | !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic. [17:32] <_root_> GeekDude, I install 12.04.4 LTS yesterday and I was installed by default [17:32] <_root_> maybe install an alsamixer? [17:33] hmm [17:34] alsamixer fails unless run as root? [17:36] hmm... xfce added a neat background to grub it seems === tyhicks` is now known as tyhicks [17:41] ah. Sounds only work as root [17:41] do I need to add myself to some user group or something? [17:43] GeekDude: audio [17:43] sudo adduser me audio [17:43] Yes? [17:44] yes [17:45] then log out and back in === matsubara is now known as matsubara-lunch [17:47] Great, it works. Thanks! [17:47] * GeekDude watches youtube [17:50] _root_: did you pastebin that? [17:55] <_root_> RoyK, it is something wrong. I can't even VNC to it now? I am trying wait [17:55] k [18:00] <_root_> RoyK, 76% memory; No wonder I can't Vnc [18:01] _root_: ps axfv|pastebinit [18:01] <_root_> RoyK, http://paste.ubuntu.com/7039765/ [18:02] _root_: and free? [18:02] _root_: not a whole lot of real memory used there [18:02] <_root_> RoyK, [18:06] <_root_> RoyK, What o you mean; So why 75% memory? [18:07] <_root_> RoyK, http://paste.ubuntu.com/7039792/ it is after a reboot [18:12] _root_: did you pastebin output of 'free'? [18:14] <_root_> RoyK, http://paste.ubuntu.com/7039840/ [18:19] _root_: that tells you you're using about 100MB of RAM [18:19] the rest is buffers/cache [18:19] the first row of "used" will climb [18:19] because that includes what's used for buffers/cache [18:20] that memory will be released if needed [18:20] <_root_> RoyK, So did i go under attack of some kind? it was 75% about a minute ago [18:21] doubt it [18:21] did you check the -/+ buffers/cache: row? [18:22] _root_: also, if you're afraid of being attacked, make sure to enable ufw. "ufw allow ssh && ufw enable" [18:22] perhaps "ufw status" first to check if it's enabled already [18:24] <_root_> RoyK, inactive [18:24] then enable it [18:24] it's easy and secure [18:24] just make sure to open for stuff you need from the outside, like http [18:25] and make sure you allow ssh before you enable it [18:26] <_root_> RoyK, Thank m8; really Helped [18:26] * _root_ gives RoyK +1 [18:27] _root_: now, by default, your vm will only be accessible by ssh, ufw allow http etc will open up [18:27] man ufw for more info [18:30] <_root_> RoyK, T H A N K Y o U man [18:30] <_root_> really [18:30] np :) === Logan_ is now known as Logan- === rcsheets_ is now known as rcsheets [18:42] _root_: run som tests with mysql/apache and check "free" output again, and you'll see that the amount of "free" memory drastically decreases, which is fine, since it's used for caching ;) [18:44] <_root_> RoyK, So what you are saying ; Is that the web server and mysql claim the memory but not use it. and if the load added to them they use what they graped before [18:44] no, I'm saying they don't, but that linux probably uses the memory for caching [18:45] _root_: let it run for some time, do some tests, don't reboot, and post ps axfv; free etc === Logan- is now known as Logan_ === marlinc_ is now known as Marlinc === matsubara-lunch is now known as matsubara [20:40] smb, ping me tomorrow and well sort iscsitarget once and for all :-) [20:48] I own this server and I have two apps in two seperate directories on the server. Can i have the apps accessible via a single domain? [21:02] Has anyone here done a Ubuntu install from HP ILO? [21:03] zenadm1n: Why? [21:03] !anyone | zenadm1n [21:03] zenadm1n: A high percentage of the first questions asked in this channel start with "Does anyone/anybody..." Why not ask your next question (the real one) and find out? See also !details, !gq, and !poll. [21:06] HP ILO gives me the option of RHEL or SUSE. Ubuntu isn't an option although HP says it's supported. [21:06] Hey, I'm wondering what's the reasoning for not including MariaDB in the Ubuntu repos. Can anybody help me understand? [21:08] zenadm1n: HP ILO doesnt have such a menu at all. HP SmartStart does. [21:08] zenadm1n: ILO is the management web interface. [21:10] DeltaHeavy: http://packages.ubuntu.com/trusty/database/ [21:11] DeltaHeavy: mariadb is in the repo's for trusty [21:11] henkjan_: They're not in 12.04 though >: [21:12] 12.04. almost 2 years ago no distro had mariadb in the repo's [21:13] henkjan_: I thought they might add it in thogh. [21:14] DeltaHeavy: no. only existing software is updated. no new software is being added once a release is done [21:15] Ok, got it. [21:16] Thanks! === hggdh_ is now known as hggdh [21:42] zul, ceilometer -> python-croniter === RoyK is now known as Royk^ === Royk^ is now known as RoyK [22:30] hmm... [22:31] why would upstart say a job is unknown? [22:31] when I can see it in /etc/init [22:31] it did seem that udev wasn't started due to too many open files when I started the container [22:31] btw, this is inside an lxc container [22:31] I started about 50 at once [22:31] load testing to see if it died.... [22:31] lxc tells me all the machines are running [22:32] I can ssh into it [22:32] but juju failed to start the machine agent [22:32] and when I try to start it manually, it fails [22:32] saying "unknown job" === mjohnson15_2 is now known as mjohnson15 [22:34] jamespage: seriously?! [22:56] hi, does anyone know of a program that can do a similar thing to system restore in windows? i need to make a lot of changes to my server, and would like to be able to restore it if it all goes to hell. any suggestions? [22:57] i've considered using dd, but i'm not sure if it'd be safe or reliable to use dd if=/ of /path/to/backup.img [22:57] ...while the system is running [22:58] m1sf1t: nothing exactly like windows's system restore.. a few ideas, you can use e.g. btrfs or zfs snapshotting at the filesystem level, or use lvm snapshots at the block level, or you can use dd to generate a disk image that you could use to overwrite the server .. [22:58] you shouldn't use dd if=/dev/blah if /dev/blah is mounted read-write. if it is mounted read-only it ought to function. [22:58] sarnold: do you know if dd would be safe or reliable to use while running? or should i boot a live cd and do it that way? [22:59] m1sf1t: live cd would be easiest [23:00] m1sf1t: ooh, I'm proud of this one :) you could use qemu-img to convert the disk image into a qcow2 image, snapsoht, do the work in a vm, and either re-export it or rollback [23:00] sarnold: hmm... downtime :/ i think i'll have to do that. also, if i were to dd the whole filesystem (80GB) do you know if it's possible to reduce that size? or is that restricted by the filesystem? [23:01] m1sf1t: you'll have to read all 80 gigs, but you might not have to write all 80 gigs, if you use the conv=sparse option and your 'empty space' has been zeroed already... [23:03] sarnold: just saw what you said about qemu-img, that sounds interesting :) a bit confused haha but i see what you're getting at [23:04] sarnold: i think i'll keep it at 80GB. although i would have to do it now lol as it's the least busy time [23:05] sarnold: i'll be replacing my file server hdd with a 2TB soon so i can make do with a little less storage for now ;) === bradm1 is now known as bradm [23:08] m1sf1t: woo :) [23:10] sarnold: haha :) thanks for the advice, i'm gonna boot into a cd now then, so gotta go. bye :) [23:10] m1sf1t: have fun! [23:11] sarnold: will do! staring at a terminal with no idea how long dd has left lol :D [23:11] sarnold: cya [23:12] dd could really use some kind of prgress indicator [23:12] ( when source or dest ore finite) [23:12] *are [23:13] definitely. I wish linux supported siginfo [23:21] jamespage: i have it packaged locally with tests running so ill upload it tomorrow [23:38] sarnold: back, i forgot... ubuntu server is installed on a raid1 software array (the default one in the ubuntu server setup). the live cd hasn't recognised it :( do you know how to mount md0, when it doesn't even show under /dev/ ? [23:38] sarnold: well, not mount. i just need to get an ubuntu live cd to recognise it [23:39] m1sf1t: yikes, that's not good. sorry, I don't know anything about mdadm stuff :( [23:40] sarnold: haha me neither :( this is the first time i've even used raid, had to google the numbers lol