/srv/irclogs.ubuntu.com/2014/07/07/#ubuntu-server.txt

=== kriskrop1 is now known as kriskropd
byte	moin	06:26
cloudman	Hi, getting people saying my servers running buntu 12.04.4 is unsecure because its running an outdated version of apache ( 2.2 ) this is bollocks yeah, its fully patched!	11:31
cfhowlett	cloudman could be that the next LTS 14.04 has a newer version - doesn't mean that 2.2 is unsecure though	11:33
histo	cloudman: it's getting security patches until april of 2017	11:33
cloudman	cfhowlett: ty thats what I mean 2.2 is secure but people like Securi are flagging it up as a threat and its nonsense	11:34
cloudman	just to make them click a link and try to make some cash	11:34
cfhowlett	cloudman might be worth upgrading to 14.04. I'm not sysadmin so I don't know all the implications of that ...	11:35
cloudman	just told them to stop scare mongering	11:35
histo	cloudman: Who is telling you this?	11:35
cloudman	cfhowlett: php 5.5.9 is a no go for me and my servers at the moment	11:35
cloudman	and sod taking it off stable	11:35
cloudman	histo: Securi scan	11:36
cloudman	maybe Ubuntu should send them an email	11:36
cloudman	and say, hey, at least make a note that even though its outdated it is totally secure	11:36
cloudman	its deceptive just to make the punter click a link and fix it and causing sysadmins extra work answering false threats to clients	11:37
cloudman	pain is the ass	11:38
ogra_	well, point them to http://www.ubuntu.com/usn/precise/ it has the full list of CVEs	11:39
cfhowlett	cloudman fud are going to fud. continue to maintain your system and do what you do.	11:39
cloudman	:) thanks all	11:39
histo	WTH is securi scan?	11:43
cfhowlett	histo online virus scan? reported that my windows system was infected by linux ...	11:44
cfhowlett	which could be repaired for a price	11:44
cloudman	lol	11:45
ogra_	that gives "viral marketing" a whole new meaning :)	11:45
cloudman	at the price of sysadmin time	11:45
* histo bets it finds any site not running their software insecure		11:45
cfhowlett	I always love popups telling me how to repair my windows - when I'm running UBUNTU!	11:45
cloudman	actually might be worth putting their site through it	11:46
cloudman	even told me servers have no firewall, click here to put it right lol	11:46
cloudman	its down right deception	11:46
histo	their site has issues scanning itself lol	11:48
riply	Hi guys, it's been a while since I've used the virtualmin / ubuntu installation script. I am looking at rebuilding my box and want to move away from using apache and give nginx a try. Is it part of the auto installer these days?	11:48
histo	http://sitecheck.sucuri.net/results/securi.net	11:48
cloudman	histo: :)	11:49
histo	cloudman: email that back to them.	11:49
cloudman	aint got the time ;)	11:49
cloudman	I only use irc even when I have too	11:49
cloudman	too busy updating my servers	11:50
cloudman	hope updates begin to slow down	11:50
histo	riply: what autoinstaller?	11:51
riply	histo, hi man :)	11:51
=== krtaylor_away is now known as krtaylor
histo	riply: hello	11:51
cloudman	Can we have a new feature to Ubuntu? No updates	11:52
riply	histo, there is an auto-installer which virtualmin (Used to??) supply which you could run on a clean ubuntu installation, which would setup all the dependancies. Let me see if I can dint it.	11:52
riply	histo, http://www.webmin.com/vinstall.html	11:52
histo	riply: you would have to read their script and see what webserver it installs	11:53
cloudman	histo: my mistake its sucuri.net try again you get a formatted static html page lol	11:54
cloudman	riply: I use VM a lot	11:55
cloudman	like every server	11:55
riply	cloudman, I'm listening :) this installation script is 1300 lines long!	11:55
cloudman	dont mess with it	11:55
cloudman	ripy 12.04 or 14.04?	11:56
cloudman	I found on 14.04 it does not pull in awstats and mailman at times but that might be me	11:56
cloudman	other than its fine	11:57
riply	cloudman, I've just finished setting up RAID5 for 14.04	11:57
riply	she is literally sitting on first boot	11:57
riply	waiting her fate.	11:57
cloudman	get on the vm channem andreycheck is a treasure to help	11:57
cloudman	channel sry	11:57
histo	riply: grep apache /some/script/file	11:58
riply	I am on the VM chan :) left the same message earlier!	11:58
cloudman	riply: they have a howto for using nginx	11:58
cloudman	yeah see you	11:58
riply	I am at the office now so will have a look when I am home.	11:59
riply	the server's there too..	11:59
cloudman	will stick with apache myself	11:59
riply	cloudman, thanks man - I've not been on the site for years.	11:59
riply	cloudman, the only reason I want to move is that this project is going to, hopefully, get a lot of traffic.	11:59
riply	I don't want the thing to die on me :(	12:00
cloudman	well you need a good server and network for that	12:00
cloudman	can I pm you?	12:00
riply	cloudman, you're welcome to	12:00
cloudman	ty	12:01
=== Adri2000 is now known as Guest67185
=== hxm is now known as Guest68075
=== Malediction_ is now known as Malediction
=== ming is now known as Guest65048
=== huats_ is now known as huats
=== RoyK^ is now known as RoyK
=== Guest67185 is now known as Adri2000_
zul	jamespage: great python-oslo.db is broken in utopic	13:12
DeltaHeavy	Should everything in my /usr/local/share/ be under the main user I use? I keep getting this error in zsh and fixed it by changing ownership to 'root:root'. I think I may have made a big mistake when giving permissions to my main user for global nodejs modules but I'm unsure =X	13:41
DeltaHeavy	/usr/local/ is all owned by my main user. not root	13:41
reesp	Hi! i need help... my companie want start to use ubuntu in our projects. please tell me one thing: for a company, its free to use ubuntu server?	13:45
DeltaHeavy	reesp: 100% yes. You just don't get any support.	13:46
ogra_	well, you get community support unless you pay ... then you can get commercial support too	13:47
RoyK	reesp: linux is free, but certain distros can't be used without payment, things like SuSE and RedHat	13:47
DeltaHeavy	I used to be a CentOS (free RedHat clone) and Debian guy. I switched to Ubuntu Server and I couldn't be happier.	13:48
reesp	yes its true RoyK	13:48
reesp	Ok many thanks	13:48
reesp	where can i get comercial support?	13:48
RoyK	reesp: but paying for that's my question too - tried to find it on ubuntu.com, but the site is a bit messy	13:49
DeltaHeavy	reesp: http://www.ubuntu.com/management	13:49
DeltaHeavy	I find Google is better at navigating websites than I am lol.	13:49
RoyK	landscape is nice	13:50
reesp	exist 2 kinds support: landscape and advantage, right?	14:07
RoyK	reesp: yep - you'd want the latter if you're paying for support. landscape is nice for a server overview etc, but it's not support	14:12
RoyK	reesp: but then, having worked with linux systems for a while, I don't really see the idea of "support", since these days, you have things like google and irc and forums and facebook and whatnot	14:13
RoyK	reesp: but again, if it's not seen as a big cost, it's a very nice payback	14:14
patdk-wk	well, it also depends	14:15
patdk-wk	sometimes having someone else patch and fix a package is nice	14:15
patdk-wk	expecially if you run in to a kernel issue	14:15
RoyK	patdk-wk: that's certainly a case	14:16
RoyK	I wonder how long it'd take canonical to fix #1171945 if I actually paid them support	14:17
RoyK	bug 1171945	14:17
uvirtbot	Launchpad bug 1171945 in mdadm "Nested RAID levels aren't started after reboot" [Undecided,Confirmed] https://launchpad.net/bugs/1171945	14:17
patdk-wk	I just randomly hit another one	14:18
patdk-wk	#1274320	14:18
patdk-wk	guess it doesn't love me	14:18
patdk-wk	bug 1274320	14:18
uvirtbot	Launchpad bug 1274320 in grub2 "Error: diskfilter writes are not supported" [High,Triaged] https://launchpad.net/bugs/1274320	14:18
RoyK	1171945 seems to be upstart	14:20
RoyK	I don't like upstart	14:20
RoyK	I also don't like upstart	14:20
patdk-wk	well, upstart is going away	14:20
RoyK	yep	14:20
RoyK	I hoped for systemd in 14.04, but seems we'll have to wait another two years (LTS)	14:21
patdk-wk	we have systemd in 14.04	14:21
patdk-wk	the issue is, we have systemd + upstart	14:21
hallyn	zul: hey, if/when you merge the new libvirt, can you address bug 1335221 (adding package info to the configure line in debian/rules)	14:22
uvirtbot	Launchpad bug 1335221 in libvirt "libvirt builds should include packager information" [High,Triaged] https://launchpad.net/bugs/1335221	14:22
zul	hallyn: yeah working on it now	14:22
hallyn	cool	14:23
jdowdle	I'm having trouble mounting a NFS share on a 12.04 box. When issuing the mount command, it times out. It's thru vagrant - but I've mounted other NFS shares via vagrant before. I think the base box chef/ubuntu12.04 is possibly missing something.	14:39
=== Guest68075 is now known as hxm
=== elliotd123_ is now known as elliotd123
zul	hallyn: should be available here https://launchpad.net/~zulcss/+archive/libvirt-testing	15:06
Thatguy	Is there a shell I can use for my web hosting server for people to use that will only allow them to do basic commands and only see web files	15:17
peetaur2	Thatguy: I don't know if there is such a shell, but whichever you choose, make sure to also sandbox it inside apparmor or other LSM when you pick one.	15:18
Thatguy	ok	15:19
peetaur2	Thatguy: eg. let's say you give them rsync access... then they upload their own bash, and run rsync -e "/home/me/bash" blah/ localhost:blah/ and they might have a new unlimited shell	15:20
Thatguy	I found out you can do a jail with bash	15:21
=== BaNzoune1 is now known as BaNzounet
patdk-wk	why would you do that?	15:27
* patdk-wk thinks someone needs to learn what apparmor is		15:28
patdk-wk	doing a jail in bash will break all other programs	15:28
Thatguy	sorryi mean	15:29
Thatguy	rssh	15:29
jrwren	the bash restricted shell?	15:34
=== DeltaHeavy_ is now known as DeltaHeavy
Thatguy	Its a package called zsh only allows sftp and rsync items	15:48
DeltaHeavy	Thatguy: That's not what zsh does at all, nor does it create a jail.	15:51
Thatguy	ow mean rssh :D	15:52
DeltaHeavy	Gotcha	15:52
Thatguy	haha getting the two messed up :D	15:52
Thatguy	got it working trying to chroot it now	15:52
Thatguy	but when i do it wont let me login	15:53
Thatguy	any one here used sshd config with chroot?	16:39
patdk-wk	ya, totally dislike it	16:40
Thatguy	cant set it so /var/websites	16:44
Thatguy	only setable to /	16:44
superboo1	Hi all. I need to format a 4TB partition. I'm running 14.04LTS Server. Someone suggested using the GUID partition table. Is this supported by the default kernel in 14.04? Is there a more reccomended way to achieve a 4TB partition?	16:45
Thatguy	which is what it would be normaly :S	16:45
=== superboo1 is now known as superboot
patdk-wk	superboot, it's been supported for a long time	16:49
rickbeldin	Looking for tips on analyzing core dump of /usr/bin/kvm from 12.04. Where do I get debug symbols (debuginfos?) for this?	16:49
Thatguy	turns out that for chroot on ssh root has to own folder :S	16:53
patdk-wk	yep	16:54
Thatguy	got it working with proftpd now	17:01
Thatguy	Do you know how to make when I do service proftpd restart	17:01
Thatguy	wait 2 second between stop and start	17:01
Thatguy	because i have to do it twice or do start then stop	17:01
Thatguy	tryed pause 2 but it comes up with an error	17:01
patdk-wk	add a sleep in the init script	17:02
Thatguy	just add "sleep 2"	17:02
Thatguy	right	17:02
Thatguy	as i get this /etc/init.d/proftpd: 180: /etc/init.d/proftpd: pause: not found	17:02
DeltaHeavy	Thatguy: I've done secure sshd configs so users can only use SFTP with no ability to muck anything up.	17:02
Thatguy	DeltaHeavy: gona use proftpd ;D	17:03
DeltaHeavy	I'd avoid the use of plain ol' FTP period. It's slow, shitty, and insecure.	17:03
Thatguy	using sftp module for it	17:03
patdk-wk	DeltaHeavy, who said it was ftp?	17:03
DeltaHeavy	Thatguy: Ok, gotcha. Thought it just did FTP	17:03
Thatguy	no :D	17:04
DeltaHeavy	patdk-wk: The website says it's an "FTP Server" so yeah.	17:04
patdk-wk	now, I setup mine long before proftpd had sftp support	17:04
patdk-wk	I'm using a nicely patch sshd	17:04
DeltaHeavy	The amount of webdevs I see that use FTP honestly boggles my mind. Then again there seems to be a LOT of really stupid webdevs who havn't a clue in the world about what they're really doing.	17:04
Thatguy	lol	17:04
patdk-wk	and also patched suexec in apache, though it's supported now, for apparmor	17:04
Thatguy	was gona use ssh chroot but you have to set the user of the folder to root	17:05
patdk-wk	DeltaHeavy, I would be happy if they used ftp, still using frontpage2003 here	17:05
DeltaHeavy	patdk-wk: Are you serious?	17:05
patdk-wk	yes	17:05
Thatguy	any of you know why This " /etc/init.d/proftpd: 180: /etc/init.d/proftpd: pause: not found" is coming up :S	17:05
DeltaHeavy	Why @_@	17:05
patdk-wk	cause they can :)	17:05
DeltaHeavy	patdk-wk: Who's "they"?	17:05
patdk-wk	customers	17:06
DeltaHeavy	Your place of work's webdev department?	17:06
DeltaHeavy	Ugh	17:06
patdk-wk	it's still too much of a selling point	17:06
patdk-wk	for people to not bother upgrading	17:06
patdk-wk	or learning something new :(	17:06
DeltaHeavy	What's a selling point?	17:06
patdk-wk	they don't have to change	17:06
DeltaHeavy	Making your website look like a pile of shit and get a shitty page rank?	17:06
patdk-wk	oviously they are not concerned about that	17:06
DeltaHeavy	It's basically saying "I'm ok making garbage"	17:07
patdk-wk	I have so heavily patched the frontpage cgi binaries to secure them	17:07
patdk-wk	well, to make them work in a secure enviorment	17:07
DeltaHeavy	They still produce utter garbage.	17:08
DeltaHeavy	No self-respecting webdev uses Frontpage or a WYSIWYG period.	17:08
patdk-wk	heh?	17:08
patdk-wk	most of them use wordpress these days :)	17:08
DeltaHeavy	That's not a client :p	17:09
DeltaHeavy	Or like...editor	17:09
DeltaHeavy	Whatever you want to call Frontpage	17:09
patdk-wk	IDE	17:09
DeltaHeavy	If you want to call it that lol.	17:09
Thatguy	yeah i know what you mean :D	17:09
patdk-wk	only thing that applies	17:09
Thatguy	and then they get defaced	17:10
Thatguy	because its not very secure	17:10
DeltaHeavy	Eh, WP isn't that bad. There are just a LOT of shitty WP devs installing plugins made by other shitty WP devs. WP core is fine.	17:10
DeltaHeavy	Shitty devs gravitate towards WP and use it for EVERYTHING.	17:10
Thatguy	it has a upload script that can be used to upload a php shell	17:10
DeltaHeavy	I have a client I'm always helping out, they're a consulting firm. They have document roots inside document roots inside document roots.	17:11
Thatguy	lol	17:11
DeltaHeavy	No JS event listeners. Just onclick attributes and the like.	17:11
DeltaHeavy	4 versions of jQuery included on each page	17:11
Thatguy	lol	17:12
Thatguy	just incase the url goes down 3 times :D	17:12
DeltaHeavy	It confuses me why shit like this is so common in comparison to other development platforms x.x	17:13
IdleOne	Can we please watch the potty language	17:13
DeltaHeavy	True, sorry. Forgot this channel had that rule.	17:13
GH0	Is there a list of the big package changes from 12.04 to 14.04? Or any other change logs that deal with packages? I just want to make sur when I upgrade that it doesn't break anything	17:14
DeltaHeavy	GH0: Nodejs works way better on 14.04 I find. Also it's using PHP5.6 which hasa lot more awesome features.	17:14
sarnold	GH0: release notes are handy; every package has a changelog, too, though it might not be easy to pick out what's new between two releases..	17:15
GH0	I just want to make sure things like VMware wont break, since it is pretty picky about the running kernel. Among other things.	17:17
patdk-wk	picky about the running kernel?	17:17
patdk-wk	gh0, what exactly is vmware?	17:17
patdk-wk	you don't normally run a company on a computer, but software	17:17
DeltaHeavy	If you Google stuff like "VMware Ubuntu 14.04" and even append a "not working" to it, it should be obious if there's a huge problem with upgrading or not.	17:18
patdk-wk	I have 0 issues using esxi or workstation on 14.04	17:19
patdk-wk	or esxi inside workstation on 14.04	17:19
RoyK	DeltaHeavy: I have some 1404 machines on esxi - works well	17:19
mfisch	zul: can you tell me if I should be using python-glance or python-glanceclient for scripts? it look like from P-->T that some client features migrated	17:20
mfisch	zul: and I'm not sure if one is deprecated perhaps, there still seems to be overlap	17:20
zul	glancecleint	17:20
mfisch	thanks zul	17:20
lordievader	Good evening.	17:22
RoyK	evening	17:24
lordievader	Hey RoyK, how are you?	17:25
hushnowquietnow	Hello	17:55
hushnowquietnow	I think I may have just screwed myself over with an ubuntu server I'm maintaining. I misspelled the server's domain name in /etc/hostname and then rebooted. Now trying to SSH to the machine just returns a 'network unreachable' message	17:56
=== alexisb is now known as alexisb_lunch
hushnowquietnow	Is there any way I can get back into the server remotely?	17:58
sarnold	hushnowquietnow: 'network unreachable' probably says more about your local host than the server	18:01
sarnold	hushnowquietnow: try pinging your gateway device, tracerouting out to the network, etc	18:01
hushnowquietnow	sarnold: I'm trying to connect from the same machine that I'm IRCing on	18:02
sarnold	hushnowquietnow: ah :)	18:03
sarnold	hushnowquietnow: can you ping the IP? traceroute to the IP? ping the DNS? traceroute to the DNS?	18:03
hushnowquietnow	Oops	18:09
hushnowquietnow	Pinging the hostname gives responses from an entirely different IP. Pinging the IP returns 'destination host unreachable'	18:10
hushnowquietnow	I'm not sure how to interpret the output of traceroute	18:10
RoyK	hushnowquietnow: does pinging the host and running "host yourhost.somewhere" give the same ip?	18:11
hushnowquietnow	RoyK: Running the host command returns the proper IP address and the one that responds to ping	18:12
hushnowquietnow	Well, at this point I think I'm better off cutting my losses and just restoring the VM from a snapshot	18:20
hushnowquietnow	One other question though: should /etc/hostname have the FQDN of the server? Or just its hostname without the domain?	18:21
sarnold	I -think- hostname should just have the hostname, no domain	18:24
hushnowquietnow	So I wasn't even supposed to be doing the thing I did when I broke everything D:	18:26
sarnold	heh, I think there's been debate about the /etc/hostname file for the two decades I've been around..	18:27
patdk-wk	heh	18:28
patdk-wk	I vote hostname file goes away :) or contains the fqdn	18:29
patdk-wk	mailname should go away too	18:29
sarnold	hah, I hadn't noticed I still have an /etc/mailname ..	18:30
rberg	can /proc /sys and /proc/sys get merged while we are shaking the tree?!	18:31
rberg	:)	18:31
patdk-wk	rbeg, that is a kernel issue, much harder :)	18:31
digs	I am fighting vsftpd on 12.04. I am using Amazon EC2. I have been able to make this work just fine on 14.04 - here is my config: http://codepad.org/0n1DGuCq	18:36
digs	It fails on file transfers.	18:36
digs	It gets to 100% and then times out.	18:36
digs	I have tried removing the chroot, same issue.	18:36
digs	Ports 20,21,12000:12100 are open to 0.0.0.0/0 on the associated ec2 security group. There is no firewall running on the server.	18:37
digs	(at least none I installed and iptables is not running)	18:37
DeltaHeavy	digs: Why are you using FTP in the first place? Why not use SSH?	18:38
DeltaHeavy	SSHFS and SFTP both run through it.	18:38
digs	legacy support.	18:38
digs	I am moving to that over the next few months... but I can't do it yet.	18:39
DeltaHeavy	What do you need to support though that can't use those protocols? SSH is ooooold	18:39
digs	I don't want to defend my decision.	18:39
=== jdowdle is now known as jdowdle\|away
RoyK	hushnowquietnow: are you sure you don't have an line in /etc/hosts for that box?	18:42
hushnowquietnow	I can't be sure any more. I reset the machine from a vm snapshot about 10 minutes ago and now it's happily humming along	18:43
DeltaHeavy	digs: I'm just curious at this point.	18:45
RoyK	it's good it works ;)	18:45
DeltaHeavy	Was asking though because if we know the root of what you're trying to accomplish there might be an easier solution digs. Often when people try to set up FTP they're better off using a better protocol.	18:45
digs	I have been a admin for over 10 years. I appreciate and completely understand your angle but I assure you, I need ftp for now.	18:46
digs	I am fairly new to ubuntu though. I have only been using it for about a year. I am much more aquantied with FreeBSD.	18:47
DeltaHeavy	Yeah, I'm not saying you're wrong. I am legitemetly curious now but if it's too much trouble to explain don't bother.	18:47
DeltaHeavy	digs: Is there an error log?	18:48
RoyK	IMHO FTP is for special purposes these days, and hardly needed for anything else	18:48
digs	I can't understand why the config works perfectly fine on 14.04 and doesn't on 12.04. I actually have this issue on another server too, which I opted for sftp because I couldn't make regular ftp connections work after I upgrade the box. It was working fine before.	18:48
digs	DeltaHeavy, there is a "transfer log" but it is of no help. Nothing useful.	18:49
RoyK	digs: try to disable the firewall if you have any	18:50
sarnold	digs: anything useful in dmesg?	18:50
digs	Just double checked, no.	18:53
digs	By all documentatin and 20 some posts found by my searches, this configuration should work.	18:55
DeltaHeavy	File permissions?	18:55
DeltaHeavy	Do you have acl on?	18:55
histo	digs: is it possible that some new feature in 14.04 vsfpd version vs 12.04 isn't supported in the config?	18:56
=== jdowdle\|away is now known as jdowdle
digs	histo: Yes, there are some differences, but these particular configuration parameters match and vsftpd doesn't complain about any of them.	18:56
digs	DeltaHeavy - no acl, and file permissions are valid.	18:57
digs	I was going to try making a 777 dir just to see and I forgot. let me try that.	18:57
histo	digs: yeah start there and see	18:57
digs	same issue.	18:58
histo	digs: try a default config	19:01
RoyK	digs: pastebin iptables -vnL ; ip6tables -vnL	19:03
digs	It starts the file transfer, get's to 100% in filezilla, then hangs for about 20 seconds and filezilla pops up asking if I want to overwrite or resume the transfer and the filezilla log looks like this: http://codepad.org/9BioM0HK	19:03
digs	I changed the ip.	19:03
RoyK	digs: filezilla has issues - does it work with something like ncftp?	19:04
histo	RoyK: how would it be firewall if it starts the transfer	19:04
RoyK	digs: nice ip addres btw	19:05
digs	fw: http://codepad.org/8bM7IdFX	19:05
RoyK	histo: probably not, just asking	19:05
RoyK	digs: well, that's wide open	19:05
* histo suspects client		19:06
digs	client works fine on 14.04 - and it is a popular client, if I can't get it to work with filezilla, the server side is useless.	19:06
digs	for grins, I will try another.	19:07
digs	okay, now I am baffled. It worked on the other client with a .txt file. I tried the same file with filezilla. it works. I tried a pdf... it works. I tried the same file I have been trying... a favicon.ico ... it fails. Tried a .png, it works.	19:11
digs	it fails .ico files on both clients. wtf.	19:11
digs	I have been stabbing this thing for over an hour.	19:12
patdk-wk	digs you have a firewall anywhere?	19:12
digs	I have a cisco fw on-site. I can check the IPS logs.	19:12
patdk-wk	make sure the port range it uses for passive mode ftp is open	19:13
patdk-wk	you might only have it partially open	19:13
digs	simpler, I can exclude myself in the ACL from the traffic forward to ips.	19:13
patdk-wk	what ftp server is it?	19:14
digs	vsftpd	19:14
digs	son of a _ it was the cisco IPS blocking the .ico file extension. grrr.	19:15
digs	Thanks for oiling my gears guy. shezz.	19:16
digs	guys*	19:16
digs	only reason I tried a .txt file was because I was too lazy to go find the .ico in the other ftp client :D	19:16
digs	no I have to reconfigure this the IPS to chill out, at least for a few LAN ips.	19:18
RoyK	digs: blocking .ico files is rather paranoid ;)	19:24
patdk-wk	they are nothing but issue :)	19:25
hushnowquietnow	Did the .ico files work on the 14.04 server?	19:27
=== hushnowquietnow is now known as hushnomlunchnom
=== alexisb_lunch is now known as alexisb
digs	RoyK - I agree... I am not sure why it blocks them... yet.	20:10
RoyK	digs: guess it's about the possibility of embedding source code in pictures so that the javascript interpreter could accidentially run a script inside a image, but then, they'd have to block all image files, which would take the internet back to 1993 or so ;)	20:12
smoser	$ sudo lxc-create -t download -n f -- --list	20:40
smoser	Setting up the GPG keyring	20:40
smoser	hang	20:40
smoser	stgraber, hallyn ^	20:40
smoser	i suspect that that hang is gpg waiting for random data	20:40
smoser	that is never going to come to it	20:40
smoser	is that true ?	20:40
hallyn	smoser: seems plausible	20:41
smoser	:-(	20:41
hallyn	create some randomness :)	20:41
hallyn	smoser: you could do --no-validate	20:41
hallyn	not sure if that will eschew the gpg keyring creation altogether or not	20:42
hallyn	if not, it should	20:42
smoser	bah	20:42
smoser	no. its looking for download key from a keyserver	20:42
smoser	:-(	20:42
smoser	why wasnt that delivered for me withthe package	20:43
stgraber	smoser: because we want to be able to revoke the key easily if the server is corrupted and not wait for distros to update their package in that case	20:46
stgraber	we use a pretty big gpg keyserver network though and have it setup so that it works over http proxies though and attempts to fetch the key 3 times	20:46
stgraber	so it's pretty rare to be in an environment where fetching the key won't work but fetching the index and image afterwards will	20:47
smoser	stgraber, and how would you revoke that key?	20:53
smoser	you'd believe that some user is more likely to update their upstream tarball than get a key id from you?	20:53
smoser	and i disagree that its "pretty rare" to be in such an environment	20:53
smoser	many environments have network access only through http_proxy	20:54
smoser	how is it any different to deliver a keyid than to deliver the key ?	20:54
smoser	gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 0xBAEFF88C22F6E216	20:54
smoser	bah	20:54
smoser	https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1338781	20:55
uvirtbot	Launchpad bug 1338781 in lxc "lxc download template needs access to hkp://pool.sks-keyservers.net" [Undecided,New]	20:55
smoser	i honestly dont understand how that is any different.	20:55
ochiottes	hey	20:56
ochiottes	i just found that syslog has no entries for the past 5 weeks	20:56
ochiottes	how do i check if it's running and how would i turn it on again?	20:57
stgraber	smoser: if we need to revoke the key, we push the revocation to the key network and we're done, that will immediately prevent anyone from getting content signed by the compromised key, without having to rely on the distros updating lxc	20:58
stgraber	smoser: switching to a new key will then require distros to update LXC to include the new keyid but at least during that time, lxc will refuse to create containers with images signed by a compromised key (which would be essentially remote code execution on all machines using the template)	20:59
smoser	well, i'm not entirely convinced.	21:00
smoser	and less convinced that depending on a uncommon protocol delivered from a service that is not all that reliable is a good solution.	21:01
stgraber	well, I've carefuly chosen that specific network, protocol and port combination specifically because it works through http proxies. I've got multiple servers using the download template on very restricted networks with gpg and https traffic happily going through a proxy, you're the first one to report a problem with that, so I'm wondering what's special with your setup...	21:05
stgraber	smoser: actually, looking at the code, it looks like http_proxy isn't set in your environment	21:07
stgraber	smoser: otherwise the template would have used hkp://p80.pool.sks-keyservers.net:80	21:07
byte	n8	21:10
smoser	stgraber, you are correct.	21:10
smoser	i didnt get http_proxy set.	21:10
patdk-wk	isn't that replayable?	21:10
smoser	annoying that it doesnt pass through sudo in this case.	21:10
patdk-wk	by mtim	21:11
patdk-wk	mitm	21:11
stgraber	ah yeah, sudo is a bit annoying for that...	21:11
smoser	but you're still dependent on this arbitrary 3rd party web service	21:12
smoser	why not just wget https://linuxcontainers.org/the-key and use that ?	21:12
stgraber	we don't depend specifically on that service, the GPG network is replicated between services so you can use any valid keyserver you want. I also thought it'd be a better practice not to have our key revokation procedure depend on the same server that's hosting the rest of the files (since it'd be likely both would be compromised at the same time, being on the same physical box)	21:16
stgraber	pool.sks-keyservers.net is made of over 20 servers, reachable over ipv4 and ipv6 around the world, so I think it's reliable enough	21:17
stgraber	patdk-wk: you are correct, the keyserver protocol can be man-in-the-middled and so if you get your hands on our private gpg key and our https certificate (or get access to the web server), you can then MITM the gpg keyserver and the images server to feed bad images to a client	21:19
stgraber	patdk-wk: which seems reasonably difficult (though not impossible). And this would be for a very targeted attack, not for the widespread distribution of compromised images (which was our main focus there)	21:20
hallyn	niemeyer: hey - is there anyone in particular who'd be good to ask about relationships/dependencies between golang packages in trusty?	21:20
niemeyer	hallyn: I'm happy to talk about it, but I'm not a good person to explain it.. my preference was always for a more monolithic approach, but we've inherited that design from Debian, which surely follows more closely what the policy says	21:27
smoser	stgraber, i dont knwo how reliable it is.	21:27
smoser	i'm fairly sure i've seen it down.	21:28
smoser	but you've now inserted something into the critical path that was previously utilized very occasionally	21:28
smoser	ie, compare the number of times you've gpg --import-keypair to the number of times you've 'apt-get install' or 'apt-get update'	21:29
hallyn	niemeyer: in order to sru docker.io we need a few golang packages updated. I've opened bugs for those, but am wondering whether they in turn should trigger any others. bugs are:	21:32
hallyn	bug 1338759, bug 1338769, bug 1338772, bug 1338775 (and two more to come when rharper opens them)	21:33
uvirtbot	Launchpad bug 1338759 in golang-context "SRU 0.0~git20140522.1.1f3e8a4-2 to trusty" [Undecided,Fix released] https://launchpad.net/bugs/1338759	21:33
uvirtbot	Launchpad bug 1338769 in golang-gocapability-dev "SRU >= 0.0~git20140516~ to trusty" [High,Fix released] https://launchpad.net/bugs/1338769	21:33
uvirtbot	Launchpad bug 1338772 in golang-mux "SRU 0.0~git20140505.1.136d54f-2 to trusty" [High,Fix released] https://launchpad.net/bugs/1338772	21:33
uvirtbot	Launchpad bug 1338775 in golang-pty "SRU 0.0~git20140315.1.67e2db2-1~ to trusty" [High,Fix released] https://launchpad.net/bugs/1338775	21:33
hallyn	niemeyer: they all built/installed fine as they were, and none listed any versioned deps that weren't being met in trusty,	21:33
hallyn	but i just wanted to make sure.	21:33
VioByte	Anyone know how to get Ubuntu 12.04 to allow support for lookups to LDAP with a username that contains a dot/period instead of returning "id: user.name: No such user" Or is this not doable for some retarded reason? Normal ldap user lookups work fine except for the dotted ones.	21:34
niemeyer	hallyn: These are all third-party packages which I'm not familiar with	21:34
hallyn	niemeyer: ok, thanks	21:34
hallyn	niemeyer: if they're not core to go anyway then all the better :) i didn't want to break builds of juju or something	21:35
niemeyer	hallyn: Yeah, two of them are part of Gorilla, which is a bunch of helpers on top of Go's http package	21:36
hallyn	i dont' see any packaged version of that ?	21:38
niemeyer	hallyn: These are the packages	21:39
niemeyer	hallyn: https://github.com/gorilla	21:39
hallyn	yeah that should be fine (since it's coming from git)	21:45
=== RoyK^ is now known as m39oslo
VioByte	Anyone know how to get Ubuntu 12.04 to allow support for lookups to LDAP with a username that contains a dot/period instead of returning "id: user.name: No such user" Or is this not doable for some retarded reason? Normal ldap user lookups work fine except for the dotted ones.	22:45
=== jdowdle is now known as jdowdle\|away
=== jdowdle\|away is now known as jdowdle
=== Ursinha is now known as Ursinha-afk

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!