[05:46] <Voyage> Hi
[06:53] <lordievader> Good morning.
[07:16] <samiux> when apparmor service is enabled, there are a lot of syslog entries.  is it normal?
[07:16] <samiux> it is a ton of syslog, I mean.
[07:17] <jjohansen> samiux: no and yes
[07:18] <samiux> jjohansen, what is the meaning of "no and yes"?
[07:18] <jjohansen> samiux: if your profiles are properly developed, then there should not be any denials
[07:18] <jjohansen> samiux: when developing profiles you can have a LOT
[07:18] <samiux> the syslog entries are all "ALLOWED".
[07:19] <samiux> You mean in complain mode?
[07:19] <jjohansen> samiux: right
[07:19] <samiux> I see, thanks, jjohansen
[07:19] <jjohansen> samiux: complain mode will tag all log entries that would have been denied as ALLOWED
[07:28] <samiux> jjohansen, yes, you are right.  when the apache2 profile is in force, no more entry in syslog.  thanks.
[07:28] <jjohansen> samiux: this is distinct from DENIED, which you can still get (other profiles in enforce mode, or even explicit denials that are audited), there is also an AUDIT message, which is an access that is allowed in policy but an audit entry has been requested. An example would be
[07:28] <jjohansen>   audit /etc/shadow w,
[07:28] <jjohansen> so that any write to /etc/shadow has an audit entry
[07:36] <samiux> jjohansen, thanks for the info
[08:02] <stephank> The scatter/gather option on a network interface (as in, ethtool -K ethX sg on/off) is solely a performance optimisation, correct?
[08:03] <stephank> I'm wondering if it's going to have any effect on my application if I disable it.
[08:20] <FrEaKmAn_> hi all.. for example if I have an app which runs on server and stores some data.. where should I store data? what is the best practice? /var/mydata?
[08:21] <FrEaKmAn_> and this is an app that runs on a server, not a webpage or something similar
[08:22] <NOC> -
[08:22] <NOC>  /usr/bin/local
[09:16] <stiv2k> hello
[09:17] <stiv2k> how do i know if my openssl is ok?
[09:17] <stiv2k> and, i think i need to re-generate my certificate
[09:17] <stiv2k> https://lastpass.com/heartbleed/?h=stiv2k.info
[09:51] <dw1> if you're updated it should be fixed.  check version dpkg -l | grep openssl
[09:51] <stiv2k> dw1: i have an old ubuntu though
[09:51] <stiv2k> 12.10
[09:51] <dw1> no longer supported, good chance its bugged
[09:51] <dw1> oh actually no
[09:51] <dw1> it just ends support today :)
[09:52] <dw1> what is openssl version?
[09:52] <stiv2k> ii  openssl                            1.0.1c-3ubuntu2.8                      i386         Secure Socket Layer (SSL) binary and related cryptographic tools
[09:54] <dw1> apparently it was fixed in 2.7 https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7
[09:54] <stiv2k> so im good?
[09:54] <dw1> yeah, but could have been compromised before that
[09:54] <stiv2k> do i need to regenerate cert?
[09:54] <dw1> you can use this online tester too https://filippo.io/Heartbleed/
[09:55] <dw1> to be safe, yeah, it was an unknown bug for ~2 years as I undersatnd
[09:55] <stiv2k> https://filippo.io/Heartbleed/#stiv2k.info
[10:13] <dw1> stiv2k: youre not vulnerable.. i checked with nmap, e.g. https://pastee.org/czavy
[10:14] <dw1> stiv2k: https://pastee.org/x8jdy
[10:31] <dw1> !sslbug
[11:14] <pmatulis> morning
[11:46] <dw1> http://www.webhostingtalk.com/showthread.php?t=1374900 ?!
[11:48] <dw1> Just got this scary email from provider about linux kernel vulnerability: https://pastee.org/rfd2h
[11:50] <dw1> Is latest 14.04 kernel affected? Hmm
[11:56] <dw1> http://www.hostingseclist.com/
[11:58] <cfhowlett> dw1 the notice specifically states the fix...
[12:00] <dw1> k sounds good :)
[12:03] <dmsimard> jamespage: ping ?
[12:37] <sander^work> How do I check the version of an apt-get package before I install it?
[12:37] <cfhowlett> sander^work apt-cache policy packagename
[12:39] <dmsimard> sander^work: apt-cache show <package> works also
[12:53] <sander^work> is that the version I get when doing dist-upgrade, or upgrade?
[12:53] <sander^work> dmsimard, cfhowlett
[12:54] <sander^work> ..in case of an upgrade
[12:54] <cfhowlett> sander^work to get the latest packages for your current installed distro:   sudo apt-get dist-upgrade
[12:55] <sander^work> cfhowlett, Yes, I know. But I want to check which version i'm upgrading to, before I do it.
[12:55] <cfhowlett> sander^work note: this DOES NOT upgrade your os, so if you're on 12.04, you will remain on 12.04
[12:55] <sander^work> package version.
[12:56] <cfhowlett> sander^work as I understand it, the "available" package version in the one for your distro.
[12:57] <sander^work> cfhowlett, Yes, and apt-cache policy/show displays this new version of a package i'm about to upgrade.. but does it take into account the package I get when doing upgrade or dist-upgrade?
[12:58] <cfhowlett> sander^work new "available" version will be the highest package number available to you via upgrade
[12:59] <sander^work> cfhowlett, so it will display the highest version of a package even if it's hold back by apt-get when doing an regular upgrade?
[12:59] <sander^work> ..I guess :-)
[13:11] <jamespage> jodh, did we ever get to a consistent way to disabling/enabling upstart and init.d scripts?
[13:12] <jodh> jamespage: you mean the chkconfig-alike for upstart? No, that never happened.
[13:13] <jamespage> jodh, great- that what i though
[13:17] <jamespage> jodh, does chkconfig actually work in Ubuntu for init.d based stuff?
[13:28] <dmsimard> jamespage: I was hoping I could bring your attention to these ubuntu-cloud-archive packages that are broken and preventing swift from working properly: bit.ly/1szWmsa
[13:30] <jamespage> dmsimard, hmm - that's odd - that did not show in my testing
[13:30] <jamespage> dmsimard, this is on 12.04 or 14.04?
[13:31] <hallyn> smb: zul: bug 1320031
[13:31] <dmsimard> jamespage: I'm experiencing the issue with cloud archive on 12.04. The bug reporter (and AskOpenstack) are reporting issues on 14.04 as well
[13:31] <jamespage> dmsimard, oh - I see
[13:32] <jamespage> dmsimard, its with the ceilometer integration enabled
[13:32] <dmsimard> jamespage: people in #openstack-swift are saying it could be a conflict with ceilometer
[13:32]  * jamespage thinks that might be a testing gap
[13:32] <smb> hallyn, IMO that is not needed when libxl is found
[13:32] <jamespage> dmsimard, ah indeed - pecan>=0.4.5
[13:32] <hallyn> smb: no idea.  i do know that when i tried to build without --without-lbixl, compilation failed for me
[13:32] <jamespage> zul, ^^
[13:33] <hallyn> smb: but i wasn't even sure if you wanted libxl, so i just wanted to make sure you knew about teh bug
[13:33] <smb> hallyn, Right and since I use the xl stack I am quite positive it is build using libxl
[13:33] <smb> hallyn, ok sur
[13:33] <smb> sure
[13:34] <hallyn> smb: thanks :)  (zul might also care)
[13:35] <hallyn> me i'll be having to get comfortable with hyperv and widnows guests, i think, bc a bunch of related bugs are cropping up
[13:36] <dmsimard> jamespage: doh, zul went ping timeout :p
[13:36] <dmsimard> you scared him off IMO
[13:36] <jamespage> dmsimard, I'm not far from him this week so will go find him
[13:37] <dmsimard> jamespage: You guys are at the summit ?
[13:37] <hallyn> i bet jamespage is sitting at a table with zul,
[13:37] <hallyn> "answer my ping on irc"
[13:39] <jamespage> dmsimard, yes
[13:39] <dmsimard> jamespage: Nice. Wish I could be, some of my colleagues are there though. Lucky them :D
[13:41] <jamespage> dmsimard, so it looks like we have a to new version of happybase and an old version of pecan
[13:41] <jamespage> dmsimard, the problem is in ceilometer, symptoms in swift
[13:41] <jamespage> for the time being you can disable the ceilometer egg to workaround
[13:44] <dmsimard> jamespage: I'm working around it manually already but it's .. inconvenient
[13:50] <dmsimard> jamespage: Thanks for your attention, appreciate it.
[15:18] <shwaiil> Q: I was talking about sshfs to mount a remote dir, so I could use my sublime-text from my local machine. Someone told me, I can actually run sublime-text directly from my ubuntu server ? and it launches my local sublime-text ?
[15:18] <shwaiil> so I don't have to relay on sshfs or nfs, etc. How does that work ?
[15:19] <shwaiil> Never seen that before.
[15:19] <shwaiil> he also mentioned: you may have to authorized the remote host to display content on local machine via 'xhost + remote_ip' ( on local machine )
[15:19] <shwaiil> does anyone know anything about this ?
[15:52] <qman__> shwaiil: I believe that is referring to X11 forwarding over SSHb
[15:53] <qman__> SSH*
[15:53] <jpds> There's also xpra
[15:53] <jpds> !info xpra
[15:55] <pmatulis> was testing xpra yesterday on trusty.  it's quite actively developed
[16:17] <medberry> jamespage, I'm doing a new OpenStack Icehouse deploy this week. Should I build on Precise and upgrade it to Trusty later (current plan) or bite the bullet and go to Trusty first? (just asking for a best practice/recommendation based on current stability/maturity of each)
[16:18] <medberry> thanks, trusty it is
[17:22] <rostam> HI I am using ubuntu 12.04 lts.. we are observing some performance issues. Any recommandation on what profiling tool to use to root cause the issue? thx
[17:23] <rostam> k
[17:25] <SCHAAP137> performance issues in which sense?
[17:28] <sarnold> rostam: there are dozens to pick from :) one of my favorites is the 'vmstat 1' output, check the 'so' and 'si' columns to see if you need to buy more ram :)
[17:28] <rostam> we have mutli-threaded application, some of the thread are queued on an interrupt from video sync and are missed.
[17:28] <rostam> sarnold, thx I will look into those, but we have lotus of ram
[17:28] <sander__> Is the recent local root security bug fixed in 10.04 ?
[17:29] <sarnold> sander__: which one?
[17:29] <sander__> sarnold, is there several ones? Thinking about the race condition one.
[17:29] <sarnold> sander__: ah, then it might have been this: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0196.html
[17:30] <sarnold> sander__: if it'sthe one I think you're thikning of, then yes, updates were released on 5th of may
[17:50] <zriddick|2> should I set up both an external and an internal nic on a mail server
[17:52] <sarnold> zriddick|2: that's probably more hassle than it is worth.
[17:53] <zriddick|2> ok I am wondering why zentyal has option for external or internal on the nic settings
[17:53] <zriddick|2> but that seems to be the common response
[17:54] <sarnold> zriddick|2: I can imagine scenarios where it might make sense, but it feels to me that if you've got a good reason for an internal mail server address and an external mail server address, having them on two servers is probably the wise next step :)
[17:55] <zriddick|2> understood
[17:56] <zriddick|2> when you set it up you get all kinds of crazy stuff happening
[17:56] <zriddick|2> Ill stick with the one
[18:51] <rostam> Hi I am using ubuntu 12.04. I am trying to install an opensource driver after compiling (lttng-modules-2.0.2),. It seems during installtion it requires private key, I keep getting this error: Can't read private key.  Is there anyway I can force install it? thx
[18:59] <patdk-wk> rostam, you need to ask lttng
[18:59] <rostam> patdk-wk, thx
[19:22] <Macer> good afternoon
[20:57] <justizin> is there an equivalent to policy-rc.d for update-rc.d ? i somehow thought policy-rc.d would prevent both starting and enabling of services installed by packages, but i’m finding that they don’t start on install, but do on reboot.
[21:29] <axisys> I wanted to save people from keep typing their securid password everytime then login to router and we have tons of backbone routers
[21:29] <axisys> how to cache authentication credentials instead of sending the authentication request to authentication server if request comes within say 5 mins of last successful authentication?
[21:30] <axisys> our setup is like this tacacs -> pam -> radius on securid server
[21:31] <sarnold> axisys: my first thought is to look into using sssd to cache credentials; keep in mind that I've not actually -used- sssd myself, I've just spent an hour skimming their documentation a few months ago..
[21:32] <sarnold> axisys: maybe simpler, try the pam_succeed_id module
[21:33] <axisys> sarnold: google thinks pam_succeed_if ?
[21:33] <sarnold> axisys: ignore google, just 'man pam_succeed_if', that ought to get you there :)
[21:38] <axisys> read it few times.. not sure if I following.. can it do like this? if pam_radius was success 5 mins ago then login success and no need to send another auth request?
[21:40] <sarnold> axisys: that's my thought... I haven't looked into it deeply, it might not be even close..
[21:41] <axisys> so sssd can talk to a pam library and keep the success in cache for a certain time for any future auth req ?
[21:42] <sarnold> axisys: I believe so, yeah
[21:46] <axisys> hmm.. so caching auth credentials is a feature with sssd.. nice.. but I do not know if it can talk to PAM..
[21:47] <axisys> atleast not showing anything here
[21:47] <axisys> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-authconfig-auth.html
[21:47] <axisys> may be need to read more to find out
[21:49] <axisys> ok.. so pam is an option
[21:49] <axisys> services = nss, pam
[21:49] <axisys> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/Configuring_Services.html
[21:49] <axisys> thanks
[21:50] <sarnold> axisys: yeah, it looks like it's a Big Thing, but it feels like it should be able to do whatever it is you need doing. :)
[22:01] <stiv2k> dw1: thank you
[22:43] <Godzilla1954III> WHERE IS MAH F{}CK MONKEY
[22:44] <cloudman> why is rkhunter not updating on 12.04???
[22:44] <Godzilla1954III> WHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?!
[22:45] <sarnold> cloudman: what do you mean by 'updating'?
[22:45]  * Godzilla1954III FINDS THE F{}CK MONKEY AND GIVES IT A GOOD OL' FASHIONED F{}CKING TO DAT BITCH ASS
[22:46] <Godzilla1954III> WHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES
[22:46] <cloudman> just ran rkhunter --update and get an error, one moment
[22:46] <Godzilla1954III> WHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES update and get error one moment enjoy your stay puppy time oh gangman style scglkal furururu
[22:46] <cloudman>  Checking file i18n versions                                [ Update failed ]
[22:47] <Godzilla1954III> WHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES update and get error one moment enjoy your stay puppy time oh gangman style scglkal furururu GODDAMN PUPPY WHERE THE HELL ARE YOU SCREW YU GUYS AIM GOING HOME HONEY IM HOME TIME FOR YOU BEEATING TROLOLOLOLO
[22:47] <Godzilla1954III> WHERE IS MAH F{}CK MONKEY I WANT MY TOASTAH! GIMME ME TOASTAH WHERE IS MAH TOASTAH?! GIMME MAH F{}CK MONKEY AND MAH TOASTAH! WHERE IS MAH TOASTAH YOU SONS OF BITCHES update and get error one moment enjoy your stay puppy time oh gangman style scglkal furururu GODDAMN PUPPY WHERE THE HELL ARE YOU SCREW YU GUYS AIM GOING HOME HONEY IM HOME TIME FOR YOU BEEATING TROLOLOLOLO FURURURURURURUR
[22:47] <Catdaemon> apt-get install toaster
[22:47] <cloudman> o shut up dude
[22:48] <dcosnet> what the hell...
[22:48]  * Godzilla1954III walks away
[22:48] <cloudman> sarnold:  Checking file i18n versions [ Update failed ]
[22:48]  * Godzilla1954III apologizes to cloduman and sarnold and other people
[22:49] <cloudman>  just shut up is better :)
[22:49] <Godzilla1954III> tomaw: I'm done here.
[22:49] <Catdaemon> worst channel flood of all time
[22:49] <Godzilla1954III> sorry about that.
[22:49] <sarnold> tomaw: <3
[22:50] <cloudman> prove it a,d shut up
[22:50] <cloudman> prefer godzilla gone
[22:51] <cloudman> why is rkhunter not updating???
[22:52] <cloudman> not another heartbleed thing I hope
[22:53] <cloudman> not updating becaues it does not want to detect something
[22:55] <cloudman> anyone running 12.04 can you try rkhunter --update and see what happens
[23:27] <Patrickdk> cloudman, invalid command
[23:57] <lorfds> i am locking down a production ubuntu web server
[23:57] <lorfds> i am trying to figure out if i should just be using ufw
[23:57] <lorfds> or if i should be digging into nftables
[23:57] <lorfds> is ufw generally secure?
[23:57] <lorfds> this isn’t a super secure server, but i want to defend against most automated attacks
[23:58] <Catdaemon> ufw is a frontend for iptables
[23:58] <lorfds> would you say setting deny for everything except 80 and 443 is generally secure?
[23:58] <lorfds> or are there other things i should be doing regarding the firewall?
[23:58] <sarnold> lorfds: ufw is a nice-enough frontend for iptables; it might not have all the bells and whistles of more complicated configuration tools or hand-written rules, but if it is easy enough to be used, that's awesome :)
[23:59] <lorfds> also, what timezone do you use for your server?
[23:59] <sarnold> lorfds: allowing ssh access from some specific networks might be nice too
[23:59] <lorfds> this is u.s. based…serving east coast at first and eventually all u.s.
[23:59] <lorfds> is utc the best you think?
[23:59] <Catdaemon> ufw allow ssh, ufw allow http and ufw allow https should be good for you
[23:59] <lorfds> sarnold…i blanket enabled ssh
[23:59] <Catdaemon> don't forget to allow ssh if it's a remote server or you're in for a fun time
[23:59] <lorfds> should i make it more specific for ssh access?