/srv/irclogs.ubuntu.com/2014/05/16/#ubuntu-server.txt

=== runnermp is now known as runnermp_
=== runnermp_ is now known as runnermp
=== runnermp is now known as runnermp_
=== runnermp_ is now known as runnermp
=== esde is now known as Guest57864
VoyageHi05:46
=== _loc4l is now known as loc4l
lordievaderGood morning.06:53
samiuxwhen apparmor service is enabled, there are a lot of syslog entries.  is it normal?07:16
samiuxit is a ton of syslog, I mean.07:16
jjohansensamiux: no and yes07:17
samiuxjjohansen, what is the meaning of "no and yes"?07:18
jjohansensamiux: if your profiles are properly developed, then there should not be any denials07:18
jjohansensamiux: when developing profiles you can have a LOT07:18
samiuxthe syslog entries are all "ALLOWED".07:18
samiuxYou mean in complain mode?07:19
jjohansensamiux: right07:19
samiuxI see, thanks, jjohansen07:19
jjohansensamiux: complain mode will tag all log entries that would have been denied as ALLOWED07:19
samiuxjjohansen, yes, you are right.  when the apache2 profile is in force, no more entry in syslog.  thanks.07:28
jjohansensamiux: this is distinct from DENIED, which you can still get (other profiles in enforce mode, or even explicit denials that are audited), there is also an AUDIT message, which is an access that is allowed in policy but an audit entry has been requested. An example would be07:28
jjohansen  audit /etc/shadow w,07:28
jjohansenso that any write to /etc/shadow has an audit entry07:28
samiuxjjohansen, thanks for the info07:36
stephankThe scatter/gather option on a network interface (as in, ethtool -K ethX sg on/off) is solely a performance optimisation, correct?08:02
stephankI'm wondering if it's going to have any effect on my application if I disable it.08:03
=== yofel_ is now known as yofel
FrEaKmAn_hi all.. for example if I have an app which runs on server and stores some data.. where should I store data? what is the best practice? /var/mydata?08:20
FrEaKmAn_and this is an app that runs on a server, not a webpage or something similar08:21
NOC-08:22
NOC /usr/bin/local08:22
stiv2khello09:16
stiv2khow do i know if my openssl is ok?09:17
stiv2kand, i think i need to re-generate my certificate09:17
stiv2khttps://lastpass.com/heartbleed/?h=stiv2k.info09:17
dw1if you're updated it should be fixed.  check version dpkg -l | grep openssl09:51
stiv2kdw1: i have an old ubuntu though09:51
stiv2k12.1009:51
dw1no longer supported, good chance its bugged09:51
dw1oh actually no09:51
dw1it just ends support today :)09:51
dw1what is openssl version?09:52
stiv2kii  openssl                            1.0.1c-3ubuntu2.8                      i386         Secure Socket Layer (SSL) binary and related cryptographic tools09:52
dw1apparently it was fixed in 2.7 https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.709:54
stiv2kso im good?09:54
dw1yeah, but could have been compromised before that09:54
stiv2kdo i need to regenerate cert?09:54
dw1you can use this online tester too https://filippo.io/Heartbleed/09:54
dw1to be safe, yeah, it was an unknown bug for ~2 years as I undersatnd09:55
stiv2khttps://filippo.io/Heartbleed/#stiv2k.info09:55
dw1stiv2k: youre not vulnerable.. i checked with nmap, e.g. https://pastee.org/czavy10:13
dw1stiv2k: https://pastee.org/x8jdy10:14
dw1!sslbug10:31
ubottuA fix for the recent OpenSSL vulnerabilities (2014-0076 & 0160) has been pushed to the Ubuntu repositories, see http://www.ubuntu.com/usn/usn-2165-1/ and http://heartbleed.com/ for more information.10:31
=== Guest57864 is now known as esde
pmatulismorning11:14
dw1http://www.webhostingtalk.com/showthread.php?t=1374900 ?!11:46
dw1Just got this scary email from provider about linux kernel vulnerability: https://pastee.org/rfd2h11:48
dw1Is latest 14.04 kernel affected? Hmm11:50
dw1http://www.hostingseclist.com/11:56
cfhowlettdw1 the notice specifically states the fix...11:58
dw1k sounds good :)12:00
dmsimardjamespage: ping ?12:03
=== racedo_ is now known as racedo
=== ciastek_ is now known as ciastek
sander^workHow do I check the version of an apt-get package before I install it?12:37
cfhowlettsander^work apt-cache policy packagename12:37
dmsimardsander^work: apt-cache show <package> works also12:39
sander^workis that the version I get when doing dist-upgrade, or upgrade?12:53
sander^workdmsimard, cfhowlett12:53
sander^work..in case of an upgrade12:54
cfhowlettsander^work to get the latest packages for your current installed distro:   sudo apt-get dist-upgrade12:54
sander^workcfhowlett, Yes, I know. But I want to check which version i'm upgrading to, before I do it.12:55
cfhowlettsander^work note: this DOES NOT upgrade your os, so if you're on 12.04, you will remain on 12.0412:55
sander^workpackage version.12:55
cfhowlettsander^work as I understand it, the "available" package version in the one for your distro.12:56
sander^workcfhowlett, Yes, and apt-cache policy/show displays this new version of a package i'm about to upgrade.. but does it take into account the package I get when doing upgrade or dist-upgrade?12:57
cfhowlettsander^work new "available" version will be the highest package number available to you via upgrade12:58
sander^workcfhowlett, so it will display the highest version of a package even if it's hold back by apt-get when doing an regular upgrade?12:59
sander^work..I guess :-)12:59
jamespagejodh, did we ever get to a consistent way to disabling/enabling upstart and init.d scripts?13:11
jodhjamespage: you mean the chkconfig-alike for upstart? No, that never happened.13:12
jamespagejodh, great- that what i though13:13
jamespagejodh, does chkconfig actually work in Ubuntu for init.d based stuff?13:17
dmsimardjamespage: I was hoping I could bring your attention to these ubuntu-cloud-archive packages that are broken and preventing swift from working properly: bit.ly/1szWmsa13:28
jamespagedmsimard, hmm - that's odd - that did not show in my testing13:30
jamespagedmsimard, this is on 12.04 or 14.04?13:30
hallynsmb: zul: bug 132003113:31
uvirtbotLaunchpad bug 1320031 in libvirt "libvirt package is not being build with flag --with-libxl" [Undecided,New] https://launchpad.net/bugs/132003113:31
dmsimardjamespage: I'm experiencing the issue with cloud archive on 12.04. The bug reporter (and AskOpenstack) are reporting issues on 14.04 as well13:31
jamespagedmsimard, oh - I see13:31
jamespagedmsimard, its with the ceilometer integration enabled13:32
dmsimardjamespage: people in #openstack-swift are saying it could be a conflict with ceilometer13:32
* jamespage thinks that might be a testing gap13:32
smbhallyn, IMO that is not needed when libxl is found13:32
jamespagedmsimard, ah indeed - pecan>=0.4.513:32
hallynsmb: no idea.  i do know that when i tried to build without --without-lbixl, compilation failed for me13:32
jamespagezul, ^^13:32
hallynsmb: but i wasn't even sure if you wanted libxl, so i just wanted to make sure you knew about teh bug13:33
smbhallyn, Right and since I use the xl stack I am quite positive it is build using libxl13:33
smbhallyn, ok sur13:33
smbsure13:33
hallynsmb: thanks :)  (zul might also care)13:34
hallynme i'll be having to get comfortable with hyperv and widnows guests, i think, bc a bunch of related bugs are cropping up13:35
dmsimardjamespage: doh, zul went ping timeout :p13:36
dmsimardyou scared him off IMO13:36
jamespagedmsimard, I'm not far from him this week so will go find him13:36
dmsimardjamespage: You guys are at the summit ?13:37
hallyni bet jamespage is sitting at a table with zul,13:37
hallyn"answer my ping on irc"13:37
jamespagedmsimard, yes13:39
dmsimardjamespage: Nice. Wish I could be, some of my colleagues are there though. Lucky them :D13:39
jamespagedmsimard, so it looks like we have a to new version of happybase and an old version of pecan13:41
jamespagedmsimard, the problem is in ceilometer, symptoms in swift13:41
jamespagefor the time being you can disable the ceilometer egg to workaround13:41
dmsimardjamespage: I'm working around it manually already but it's .. inconvenient13:44
=== arlen is now known as Guest74093
=== arlen_ is now known as Guest43997
dmsimardjamespage: Thanks for your attention, appreciate it.13:50
=== medberry is now known as Guest10927
=== med_ is now known as Guest16372
shwaiilQ: I was talking about sshfs to mount a remote dir, so I could use my sublime-text from my local machine. Someone told me, I can actually run sublime-text directly from my ubuntu server ? and it launches my local sublime-text ?15:18
shwaiilso I don't have to relay on sshfs or nfs, etc. How does that work ?15:18
shwaiilNever seen that before.15:19
shwaiilhe also mentioned: you may have to authorized the remote host to display content on local machine via 'xhost + remote_ip' ( on local machine )15:19
shwaiildoes anyone know anything about this ?15:19
=== ValicekB_ is now known as ValicekB
qman__shwaiil: I believe that is referring to X11 forwarding over SSHb15:52
qman__SSH*15:53
jpdsThere's also xpra15:53
jpds!info xpra15:53
ubottuxpra (source: xpra): tool to detach/reattach running X programs. In component universe, is optional. Version 0.12.3+dfsg-1ubuntu1 (trusty), package size 775 kB, installed size 3537 kB15:53
pmatuliswas testing xpra yesterday on trusty.  it's quite actively developed15:55
medberryjamespage, I'm doing a new OpenStack Icehouse deploy this week. Should I build on Precise and upgrade it to Trusty later (current plan) or bite the bullet and go to Trusty first? (just asking for a best practice/recommendation based on current stability/maturity of each)16:17
medberrythanks, trusty it is16:18
=== Ursinha is now known as Ursinha-afk
=== Ursinha-afk is now known as Ursinha
rostamHI I am using ubuntu 12.04 lts.. we are observing some performance issues. Any recommandation on what profiling tool to use to root cause the issue? thx17:22
rostamk17:23
SCHAAP137performance issues in which sense?17:25
sarnoldrostam: there are dozens to pick from :) one of my favorites is the 'vmstat 1' output, check the 'so' and 'si' columns to see if you need to buy more ram :)17:28
rostamwe have mutli-threaded application, some of the thread are queued on an interrupt from video sync and are missed.17:28
rostamsarnold, thx I will look into those, but we have lotus of ram17:28
sander__Is the recent local root security bug fixed in 10.04 ?17:28
sarnoldsander__: which one?17:29
sander__sarnold, is there several ones? Thinking about the race condition one.17:29
sarnoldsander__: ah, then it might have been this: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0196.html17:29
uvirtbotsarnold: The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO &amp; !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196)17:29
sarnoldsander__: if it'sthe one I think you're thikning of, then yes, updates were released on 5th of may17:30
zriddick|2should I set up both an external and an internal nic on a mail server17:50
sarnoldzriddick|2: that's probably more hassle than it is worth.17:52
zriddick|2ok I am wondering why zentyal has option for external or internal on the nic settings17:53
zriddick|2but that seems to be the common response17:53
sarnoldzriddick|2: I can imagine scenarios where it might make sense, but it feels to me that if you've got a good reason for an internal mail server address and an external mail server address, having them on two servers is probably the wise next step :)17:54
zriddick|2understood17:55
zriddick|2when you set it up you get all kinds of crazy stuff happening17:56
zriddick|2Ill stick with the one17:56
rostamHi I am using ubuntu 12.04. I am trying to install an opensource driver after compiling (lttng-modules-2.0.2),. It seems during installtion it requires private key, I keep getting this error: Can't read private key.  Is there anyway I can force install it? thx18:51
patdk-wkrostam, you need to ask lttng18:59
rostampatdk-wk, thx18:59
=== elliotd123_ is now known as elliotd123
Macergood afternoon19:22
justizinis there an equivalent to policy-rc.d for update-rc.d ? i somehow thought policy-rc.d would prevent both starting and enabling of services installed by packages, but i’m finding that they don’t start on install, but do on reboot.20:57
=== RaptorJesus_ is now known as RaptorJesus
axisysI wanted to save people from keep typing their securid password everytime then login to router and we have tons of backbone routers21:29
axisyshow to cache authentication credentials instead of sending the authentication request to authentication server if request comes within say 5 mins of last successful authentication?21:29
axisysour setup is like this tacacs -> pam -> radius on securid server21:30
sarnoldaxisys: my first thought is to look into using sssd to cache credentials; keep in mind that I've not actually -used- sssd myself, I've just spent an hour skimming their documentation a few months ago..21:31
sarnoldaxisys: maybe simpler, try the pam_succeed_id module21:32
axisyssarnold: google thinks pam_succeed_if ?21:33
sarnoldaxisys: ignore google, just 'man pam_succeed_if', that ought to get you there :)21:33
axisysread it few times.. not sure if I following.. can it do like this? if pam_radius was success 5 mins ago then login success and no need to send another auth request?21:38
sarnoldaxisys: that's my thought... I haven't looked into it deeply, it might not be even close..21:40
axisysso sssd can talk to a pam library and keep the success in cache for a certain time for any future auth req ?21:41
sarnoldaxisys: I believe so, yeah21:42
axisyshmm.. so caching auth credentials is a feature with sssd.. nice.. but I do not know if it can talk to PAM..21:46
axisysatleast not showing anything here21:47
axisyshttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-authconfig-auth.html21:47
axisysmay be need to read more to find out21:47
axisysok.. so pam is an option21:49
axisysservices = nss, pam21:49
axisyshttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/Configuring_Services.html21:49
axisysthanks21:49
sarnoldaxisys: yeah, it looks like it's a Big Thing, but it feels like it should be able to do whatever it is you need doing. :)21:50
stiv2kdw1: thank you22:01
=== guampa_ is now known as guampa
Godzilla1954IIIWHERE IS MAH F{}CK MONKEY22:43
cloudmanwhy is rkhunter not updating on 12.04???22:44
Godzilla1954IIIWHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?!22:44
sarnoldcloudman: what do you mean by 'updating'?22:45
* Godzilla1954III FINDS THE F{}CK MONKEY AND GIVES IT A GOOD OL' FASHIONED F{}CKING TO DAT BITCH ASS22:45
Godzilla1954IIIWHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES22:46
cloudmanjust ran rkhunter --update and get an error, one moment22:46
Godzilla1954IIIWHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES update and get error one moment enjoy your stay puppy time oh gangman style scglkal furururu22:46
cloudman Checking file i18n versions                                [ Update failed ]22:46
Godzilla1954IIIWHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES update and get error one moment enjoy your stay puppy time oh gangman style scglkal furururu GODDAMN PUPPY WHERE THE HELL ARE YOU SCREW YU GUYS AIM GOING HOME HONEY IM HOME TIME FOR YOU BEEATING TROLOLOLOLO22:47
Godzilla1954IIIWHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES update and get error one moment enjoy your stay puppy time oh gangman style scglkal furururu GODDAMN PUPPY WHERE THE HELL ARE YOU SCREW YU GUYS AIM GOING HOME HONEY IM HOME TIME FOR YOU BEEATING TROLOLOLOLO FURURURURURURUR22:47
Catdaemonapt-get install toaster22:47
cloudmano shut up dude22:47
dcosnetwhat the hell...22:48
* Godzilla1954III walks away22:48
cloudmansarnold:  Checking file i18n versions [ Update failed ]22:48
* Godzilla1954III apologizes to cloduman and sarnold and other people22:48
cloudman just shut up is better :)22:49
Godzilla1954IIItomaw: I'm done here.22:49
Catdaemonworst channel flood of all time22:49
Godzilla1954IIIsorry about that.22:49
sarnoldtomaw: <322:49
cloudmanprove it a,d shut up22:50
=== Godzilla1954III is now known as Godzilla|Away
cloudmanprefer godzilla gone22:50
cloudmanwhy is rkhunter not updating???22:51
cloudmannot another heartbleed thing I hope22:52
cloudmannot updating becaues it does not want to detect something22:53
cloudmananyone running 12.04 can you try rkhunter --update and see what happens22:55
Patrickdkcloudman, invalid command23:27
=== a1berto_ is now known as a1berto
lorfdsi am locking down a production ubuntu web server23:57
lorfdsi am trying to figure out if i should just be using ufw23:57
lorfdsor if i should be digging into nftables23:57
lorfdsis ufw generally secure?23:57
lorfdsthis isn’t a super secure server, but i want to defend against most automated attacks23:57
Catdaemonufw is a frontend for iptables23:58
lorfdswould you say setting deny for everything except 80 and 443 is generally secure?23:58
lorfdsor are there other things i should be doing regarding the firewall?23:58
sarnoldlorfds: ufw is a nice-enough frontend for iptables; it might not have all the bells and whistles of more complicated configuration tools or hand-written rules, but if it is easy enough to be used, that's awesome :)23:58
lorfdsalso, what timezone do you use for your server?23:59
sarnoldlorfds: allowing ssh access from some specific networks might be nice too23:59
lorfdsthis is u.s. based…serving east coast at first and eventually all u.s.23:59
lorfdsis utc the best you think?23:59
Catdaemonufw allow ssh, ufw allow http and ufw allow https should be good for you23:59
lorfdssarnold…i blanket enabled ssh23:59
Catdaemondon't forget to allow ssh if it's a remote server or you're in for a fun time23:59
lorfdsshould i make it more specific for ssh access?23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!