[06:26] <byte> moin
[11:31] <cloudman> Hi, getting people saying my servers running buntu 12.04.4 is unsecure because its running an outdated version of apache ( 2.2 ) this is bollocks yeah, its fully patched!
[11:33] <cfhowlett> cloudman could be that the next LTS 14.04 has a newer version - doesn't mean that 2.2 is unsecure though
[11:33] <histo> cloudman: it's getting security patches until april of 2017
[11:34] <cloudman> cfhowlett: ty thats what I mean 2.2 is secure but people like Securi are flagging it up as a threat and its nonsense
[11:34] <cloudman> just to make them click a link and try to make some cash
[11:35] <cfhowlett> cloudman might be worth upgrading to 14.04.  I'm not sysadmin so I don't know all the implications of that ...
[11:35] <cloudman> just told them to stop scare mongering
[11:35] <histo> cloudman: Who is telling you this?
[11:35] <cloudman> cfhowlett: php 5.5.9 is a no go for me and my servers at the moment
[11:35] <cloudman> and sod taking it off stable
[11:36] <cloudman> histo: Securi scan
[11:36] <cloudman> maybe Ubuntu should send them an email
[11:36] <cloudman> and say, hey, at least make a note that even though its outdated it is totally secure
[11:37] <cloudman> its deceptive just to make the punter click a link and fix it and causing sysadmins extra work answering false threats to clients
[11:38] <cloudman> pain is the ass
[11:39] <ogra_> well, point them to http://www.ubuntu.com/usn/precise/ it has the full list of CVEs
[11:39] <cfhowlett> cloudman fud are going to fud.  continue to maintain your system and do what you do.
[11:39] <cloudman> :) thanks all
[11:43] <histo> WTH is securi scan?
[11:44] <cfhowlett> histo online virus scan?  reported that my windows system was infected by linux ...
[11:44] <cfhowlett> which could be repaired for a price
[11:45] <cloudman> lol
[11:45] <ogra_> that gives "viral marketing" a whole new meaning :)
[11:45] <cloudman> at the price of sysadmin time
[11:45]  * histo bets it finds any site not running their software insecure
[11:45] <cfhowlett> I always love popups telling me how to repair my windows - when I'm running UBUNTU!
[11:46] <cloudman> actually might be worth putting their site through it
[11:46] <cloudman> even told me servers have no firewall, click here to put it right lol
[11:46] <cloudman> its down right deception
[11:48] <histo> their site has issues scanning itself lol
[11:48] <riply> Hi guys, it's been a while since I've used the virtualmin / ubuntu installation script. I am looking at rebuilding my box and want to move away from using apache and give nginx a try. Is it part of the auto installer these days?
[11:48] <histo> http://sitecheck.sucuri.net/results/securi.net
[11:49] <cloudman> histo:  :)
[11:49] <histo> cloudman: email that back to them.
[11:49] <cloudman> aint got the time ;)
[11:49] <cloudman> I only use irc even when I have too
[11:50] <cloudman> too busy updating my servers
[11:50] <cloudman> hope updates begin to slow down
[11:51] <histo> riply: what autoinstaller?
[11:51] <riply> histo, hi man :)
[11:51] <histo> riply: hello
[11:52] <cloudman> Can we have a new feature to Ubuntu?  No updates
[11:52] <riply> histo, there is an auto-installer which virtualmin (Used to??) supply which you could run on a clean ubuntu installation, which would setup all the dependancies. Let me see if I can dint it.
[11:52] <riply> histo, http://www.webmin.com/vinstall.html
[11:53] <histo> riply: you would have to read their script and see what webserver it installs
[11:54] <cloudman> histo:  my mistake its sucuri.net try again you get a formatted static html page lol
[11:55] <cloudman> riply:  I use VM a lot
[11:55] <cloudman> like every server
[11:55] <riply> cloudman, I'm listening :) this installation script is 1300 lines long!
[11:55] <cloudman> dont mess with it
[11:56] <cloudman> ripy 12.04 or 14.04?
[11:56] <cloudman> I found on 14.04 it does not pull in awstats and mailman at times but that might be me
[11:57] <cloudman> other than its fine
[11:57] <riply> cloudman, I've just finished setting up RAID5 for 14.04
[11:57] <riply> she is literally sitting on first boot
[11:57] <riply> waiting her fate.
[11:57] <cloudman> get on the vm channem andreycheck is a treasure to help
[11:57] <cloudman> channel sry
[11:58] <histo> riply: grep apache /some/script/file
[11:58] <riply> I am on the VM chan :) left the same message earlier!
[11:58] <cloudman> riply: they have a howto for using nginx
[11:58] <cloudman> yeah see you
[11:59] <riply> I am at the office now so will have a look when I am home.
[11:59] <riply> the server's there too..
[11:59] <cloudman> will stick with apache myself
[11:59] <riply> cloudman, thanks man - I've not been on the site for years.
[11:59] <riply> cloudman, the only reason I want to move is that this project is going to, hopefully, get a lot of traffic.
[12:00] <riply> I don't want the thing to die on me :(
[12:00] <cloudman> well you need a good server and network for that
[12:00] <cloudman> can I pm you?
[12:00] <riply> cloudman, you're welcome to
[12:01] <cloudman> ty
[13:12] <zul> jamespage:  great python-oslo.db is broken in utopic
[13:41] <DeltaHeavy> Should everything in my /usr/local/share/ be under the main user I use? I keep getting this error in zsh and fixed it by changing ownership to 'root:root'. I think I may have made a big mistake when giving permissions to my main user for global nodejs modules but I'm unsure =X
[13:41] <DeltaHeavy>  /usr/local/ is all owned by my main user. not root
[13:45] <reesp> Hi! i need help... my companie want start to use ubuntu in our projects. please tell me one thing: for a company, its free to use ubuntu server?
[13:46] <DeltaHeavy> reesp: 100% yes. You just don't get any support.
[13:47] <ogra_> well, you get community support unless you pay ... then you can get commercial support too
[13:47] <RoyK> reesp: linux is free, but certain distros can't be used without payment, things like SuSE and RedHat
[13:48] <DeltaHeavy> I used to be a CentOS (free RedHat clone) and Debian guy. I switched to Ubuntu Server and I couldn't be happier.
[13:48] <reesp> yes its true RoyK
[13:48] <reesp> Ok many thanks
[13:48] <reesp> where can i get comercial support?
[13:49] <RoyK> reesp: but paying for that's my question too - tried to find it on ubuntu.com, but the site is a bit messy
[13:49] <DeltaHeavy> reesp: http://www.ubuntu.com/management
[13:49] <DeltaHeavy> I find Google is better at navigating websites than I am lol.
[13:50] <RoyK> landscape is nice
[14:07] <reesp> exist 2 kinds support: landscape and advantage, right?
[14:12] <RoyK> reesp: yep - you'd want the latter if you're paying for support. landscape is nice for a server overview etc, but it's not *support*
[14:13] <RoyK> reesp: but then, having worked with linux systems for a while, I don't really see the idea of "support", since these days, you have things like google and irc and forums and facebook and whatnot
[14:14] <RoyK> reesp: but again, if it's not seen as a big cost, it's a very nice payback
[14:15] <patdk-wk> well, it also depends
[14:15] <patdk-wk> sometimes having someone else patch and fix a package is nice
[14:15] <patdk-wk> expecially if you run in to a kernel issue
[14:16] <RoyK> patdk-wk: that's certainly a case
[14:17] <RoyK> I wonder how long it'd take canonical to fix #1171945 if I actually paid them support
[14:17] <RoyK> bug 1171945
[14:18] <patdk-wk> I just randomly hit another one
[14:18] <patdk-wk> #1274320
[14:18] <patdk-wk> guess it doesn't love me
[14:18] <patdk-wk> bug 1274320
[14:20] <RoyK> 1171945 seems to be upstart
[14:20] <RoyK> I don't like upstart
[14:20] <RoyK> I also don't like upstart
[14:20] <patdk-wk> well, upstart is going away
[14:20] <RoyK> yep
[14:21] <RoyK> I hoped for systemd in 14.04, but seems we'll have to wait another two years (LTS)
[14:21] <patdk-wk> we have systemd in 14.04
[14:21] <patdk-wk> the issue is, we have systemd + upstart
[14:22] <hallyn> zul: hey, if/when you merge the new libvirt, can you address bug 1335221 (adding package info to the configure line in debian/rules)
[14:22] <zul> hallyn:  yeah working on it now
[14:23] <hallyn> cool
[14:39] <jdowdle> I'm having trouble mounting a NFS share on a 12.04 box. When issuing the mount command, it times out. It's thru vagrant - but I've mounted other NFS shares via vagrant before. I think the base box chef/ubuntu12.04 is possibly missing something.
[15:06] <zul> hallyn:  should be available here https://launchpad.net/~zulcss/+archive/libvirt-testing
[15:17] <Thatguy> Is there a shell I can use for my web hosting server for people to use that will only allow them to do basic commands and only see web files
[15:18] <peetaur2> Thatguy: I don't know if there is such a shell, but whichever you choose, make sure to also sandbox it inside apparmor or other LSM when you pick one.
[15:19] <Thatguy> ok
[15:20] <peetaur2> Thatguy: eg. let's say you give them rsync access... then they upload their own bash, and run    rsync -e "/home/me/bash" blah/ localhost:blah/     and they might have a new unlimited shell
[15:21] <Thatguy> I found out you can do a jail with bash
[15:27] <patdk-wk> why would you do that?
[15:28]  * patdk-wk thinks someone needs to learn what apparmor is
[15:28] <patdk-wk> doing a jail in bash will break all other programs
[15:29] <Thatguy> sorryi mean
[15:29] <Thatguy> rssh
[15:34] <jrwren> the bash restricted shell?
[15:48] <Thatguy> Its a package called zsh only allows sftp and rsync items
[15:51] <DeltaHeavy> Thatguy: That's not what zsh does at all, nor does it create a jail.
[15:52] <Thatguy> ow mean rssh :D
[15:52] <DeltaHeavy> Gotcha
[15:52] <Thatguy> haha getting the two messed up :D
[15:52] <Thatguy> got it working trying to chroot it now
[15:53] <Thatguy> but when i do it wont let me login
[16:39] <Thatguy> any one here used sshd config with chroot?
[16:40] <patdk-wk> ya, totally dislike it
[16:44] <Thatguy> cant set it so /var/websites
[16:44] <Thatguy> only setable to /
[16:45] <superboo1> Hi all. I need to format a 4TB partition. I'm running 14.04LTS Server. Someone suggested using the GUID partition table. Is this supported by the default kernel in 14.04? Is there a more reccomended way to achieve a 4TB partition?
[16:45] <Thatguy> which is what it would be normaly :S
[16:49] <patdk-wk> superboot, it's been supported for a long time
[16:49] <rickbeldin> Looking for tips on analyzing core dump of /usr/bin/kvm from 12.04.   Where do I get debug symbols (debuginfos?) for this?
[16:53] <Thatguy> turns out that for chroot on ssh root has to own folder :S
[16:54] <patdk-wk> yep
[17:01] <Thatguy> got it working with proftpd now
[17:01] <Thatguy> Do you know how to make when I do service proftpd restart
[17:01] <Thatguy> wait 2 second between stop and start
[17:01] <Thatguy> because i have to do it twice or do start then stop
[17:01] <Thatguy> tryed pause 2 but it comes up with an error
[17:02] <patdk-wk> add a sleep in the init script
[17:02] <Thatguy> just add "sleep 2"
[17:02] <Thatguy> right
[17:02] <Thatguy> as i get this /etc/init.d/proftpd: 180: /etc/init.d/proftpd: pause: not found
[17:02] <DeltaHeavy> Thatguy: I've done secure sshd configs so users can only use SFTP with no ability to muck anything up.
[17:03] <Thatguy> DeltaHeavy: gona use proftpd ;D
[17:03] <DeltaHeavy> I'd avoid the use of plain ol' FTP period. It's slow, shitty, and insecure.
[17:03] <Thatguy> using sftp module for it
[17:03] <patdk-wk> DeltaHeavy, who said it was ftp?
[17:03] <DeltaHeavy> Thatguy: Ok, gotcha. Thought it just did FTP
[17:04] <Thatguy> no :D
[17:04] <DeltaHeavy> patdk-wk: The website says it's an "FTP Server" so yeah.
[17:04] <patdk-wk> now, I setup mine long before proftpd had sftp support
[17:04] <patdk-wk> I'm using a nicely patch sshd
[17:04] <DeltaHeavy> The amount of webdevs I see that use FTP honestly boggles my mind. Then again there seems to be a LOT of really stupid webdevs who havn't a clue in the world about what they're really doing.
[17:04] <Thatguy> lol
[17:04] <patdk-wk> and also patched suexec in apache, though it's supported now, for apparmor
[17:05] <Thatguy> was gona use ssh chroot but you have to set the user of the folder to root
[17:05] <patdk-wk> DeltaHeavy, I would be happy if they used ftp, still using frontpage2003 here
[17:05] <DeltaHeavy> patdk-wk: Are you serious?
[17:05] <patdk-wk> yes
[17:05] <Thatguy> any of you know why This " /etc/init.d/proftpd: 180: /etc/init.d/proftpd: pause: not found" is coming up :S
[17:05] <DeltaHeavy> Why @_@
[17:05] <patdk-wk> cause they can :)
[17:05] <DeltaHeavy> patdk-wk: Who's "they"?
[17:06] <patdk-wk> customers
[17:06] <DeltaHeavy> Your place of work's webdev department?
[17:06] <DeltaHeavy> Ugh
[17:06] <patdk-wk> it's still too much of a selling point
[17:06] <patdk-wk> for people to not bother upgrading
[17:06] <patdk-wk> or learning something new :(
[17:06] <DeltaHeavy> What's a selling point?
[17:06] <patdk-wk> they don't have to change
[17:06] <DeltaHeavy> Making your website look like a pile of shit and get a shitty page rank?
[17:06] <patdk-wk> oviously they are not concerned about that
[17:07] <DeltaHeavy> It's basically saying "I'm ok making garbage"
[17:07] <patdk-wk> I have so heavily patched the frontpage cgi binaries to secure them
[17:07] <patdk-wk> well, to make them work in a secure enviorment
[17:08] <DeltaHeavy> They still produce utter garbage.
[17:08] <DeltaHeavy> No self-respecting webdev uses Frontpage or a WYSIWYG period.
[17:08] <patdk-wk> heh?
[17:08] <patdk-wk> most of them use wordpress these days :)
[17:09] <DeltaHeavy> That's not a client :p
[17:09] <DeltaHeavy> Or like...editor
[17:09] <DeltaHeavy> Whatever you want to call Frontpage
[17:09] <patdk-wk> IDE
[17:09] <DeltaHeavy> If you want to call it that lol.
[17:09] <Thatguy> yeah i know what you mean :D
[17:09] <patdk-wk> only thing that applies
[17:10] <Thatguy> and then they get defaced
[17:10] <Thatguy> because its not very secure
[17:10] <DeltaHeavy> Eh, WP isn't that bad. There are just a LOT of shitty WP devs installing plugins made by other shitty WP devs. WP core is fine.
[17:10] <DeltaHeavy> Shitty devs gravitate towards WP and use it for EVERYTHING.
[17:10] <Thatguy> it has a upload script that can be used to upload a php shell
[17:11] <DeltaHeavy> I have a client I'm always helping out, they're a consulting firm. They have document roots inside document roots inside document roots.
[17:11] <Thatguy> lol
[17:11] <DeltaHeavy> No JS event listeners. Just onclick attributes and the like.
[17:11] <DeltaHeavy> 4 versions of jQuery included on each page
[17:12] <Thatguy> lol
[17:12] <Thatguy> just incase the url goes down 3 times :D
[17:13] <DeltaHeavy> It confuses me why shit like this is so common in comparison to other development platforms x.x
[17:13] <IdleOne> Can we please watch the potty language
[17:13] <DeltaHeavy> True, sorry. Forgot this channel had that rule.
[17:14] <GH0> Is there a list of the big package changes from 12.04 to 14.04? Or any other change logs that deal with packages? I just want to make sur when I upgrade that it doesn't break anything
[17:14] <DeltaHeavy> GH0: Nodejs works way better on 14.04 I find. Also it's using PHP5.6 which hasa lot more awesome features.
[17:15] <sarnold> GH0: release notes are handy; every package has a changelog, too, though it might not be easy to pick out what's new between two releases..
[17:17] <GH0> I just want to make sure things like VMware wont break, since it is pretty picky about the running kernel. Among other things.
[17:17] <patdk-wk> picky about the running kernel?
[17:17] <patdk-wk> gh0, what exactly is vmware?
[17:17] <patdk-wk> you don't normally run a company on a computer, but software
[17:18] <DeltaHeavy> If you Google stuff like "VMware Ubuntu 14.04" and even append a "not working" to it, it should be obious if there's a huge problem with upgrading or not.
[17:19] <patdk-wk> I have 0 issues using esxi or workstation on 14.04
[17:19] <patdk-wk> or esxi inside workstation on 14.04
[17:19] <RoyK> DeltaHeavy: I have some 1404 machines on esxi - works well
[17:20] <mfisch> zul: can you tell me if I should be using python-glance or python-glanceclient for scripts? it look like from P-->T that some client features migrated
[17:20] <mfisch> zul: and I'm not sure if one is deprecated perhaps, there still seems to be overlap
[17:20] <zul> glancecleint
[17:20] <mfisch> thanks zul
[17:22] <lordievader> Good evening.
[17:24] <RoyK> evening
[17:25] <lordievader> Hey RoyK, how are you?
[17:55] <hushnowquietnow> Hello
[17:56] <hushnowquietnow> I think I may have just screwed myself over with an ubuntu server I'm maintaining.  I misspelled the server's domain name in /etc/hostname and then rebooted.  Now trying to SSH to the machine just returns a 'network unreachable' message
[17:58] <hushnowquietnow> Is there any way I can get back into the server remotely?
[18:01] <sarnold> hushnowquietnow: 'network unreachable' probably says more about your local host than the server
[18:01] <sarnold> hushnowquietnow: try pinging your gateway device, tracerouting out to the network, etc
[18:02] <hushnowquietnow> sarnold: I'm trying to connect from the same machine that I'm IRCing on
[18:03] <sarnold> hushnowquietnow: ah :)
[18:03] <sarnold> hushnowquietnow: can you ping the IP? traceroute to the IP? ping the DNS? traceroute to the DNS?
[18:09] <hushnowquietnow> Oops
[18:10] <hushnowquietnow> Pinging the hostname gives responses from an entirely different IP.  Pinging the IP returns 'destination host unreachable'
[18:10] <hushnowquietnow> I'm not sure how to interpret the output of traceroute
[18:11] <RoyK> hushnowquietnow: does pinging the host and running "host yourhost.somewhere" give the same ip?
[18:12] <hushnowquietnow> RoyK: Running the host command returns the proper IP address and the one that responds to ping
[18:20] <hushnowquietnow> Well, at this point I think I'm better off cutting my losses and just restoring the VM from a snapshot
[18:21] <hushnowquietnow> One other question though: should /etc/hostname have the FQDN of the server?  Or just its hostname without the domain?
[18:24] <sarnold> I -think- hostname should just have the hostname, no domain
[18:26] <hushnowquietnow> So I wasn't even supposed to be doing the thing I did when I broke everything D:
[18:27] <sarnold> heh, I think there's been debate about the /etc/hostname file for the two decades I've been around..
[18:28] <patdk-wk> heh
[18:29] <patdk-wk> I vote hostname file goes away :) or contains the fqdn
[18:29] <patdk-wk> mailname should go away too
[18:30] <sarnold> hah, I hadn't noticed I still have an /etc/mailname ..
[18:31] <rberg> can /proc /sys and /proc/sys get merged while we are shaking the tree?!
[18:31] <rberg> :)
[18:31] <patdk-wk> rbeg, that is a kernel issue, much harder :)
[18:36] <digs> I am fighting vsftpd on 12.04. I am using Amazon EC2. I have been able to make this work just fine on 14.04 - here is my config: http://codepad.org/0n1DGuCq
[18:36] <digs> It fails on file transfers.
[18:36] <digs> It gets to 100% and then times out.
[18:36] <digs> I have tried removing the chroot, same issue.
[18:37] <digs> Ports 20,21,12000:12100 are open to 0.0.0.0/0 on the associated ec2 security group. There is no firewall running on the server.
[18:37] <digs> (at least none I installed and iptables is not running)
[18:38] <DeltaHeavy> digs: Why are you using FTP in the first place? Why not use SSH?
[18:38] <DeltaHeavy> SSHFS and SFTP both run through it.
[18:38] <digs> legacy support.
[18:39] <digs> I am moving to that over the next few months... but I can't do it yet.
[18:39] <DeltaHeavy> What do you need to support though that can't use those protocols? SSH is ooooold
[18:39] <digs> I don't want to defend my decision.
[18:42] <RoyK> hushnowquietnow: are you sure you don't have an line in /etc/hosts for that box?
[18:43] <hushnowquietnow> I can't be sure any more.  I reset the machine from a vm snapshot about 10 minutes ago and now it's happily humming along
[18:45] <DeltaHeavy> digs: I'm just curious at this point.
[18:45] <RoyK> it's good it works ;)
[18:45] <DeltaHeavy> Was asking though because if we know the root of what you're trying to accomplish there might be an easier solution digs. Often when people try to set up FTP they're better off using a better protocol.
[18:46] <digs> I have been a admin for over 10 years. I appreciate and completely understand your angle but I assure you, I need ftp for now.
[18:47] <digs> I am fairly new to ubuntu though. I have only been using it for about a year. I am much more aquantied with FreeBSD.
[18:47] <DeltaHeavy> Yeah, I'm not saying you're wrong. I am legitemetly curious now but if it's too much trouble to explain don't bother.
[18:48] <DeltaHeavy> digs: Is there an error log?
[18:48] <RoyK> IMHO FTP is for special purposes these days, and hardly needed for anything else
[18:48] <digs> I can't understand why the config works perfectly fine on 14.04 and doesn't on 12.04. I actually have this issue on another server too, which I opted for sftp because I couldn't make regular ftp connections work after I upgrade the box. It was working fine before.
[18:49] <digs> DeltaHeavy, there is a "transfer log" but it is of no help. Nothing useful.
[18:50] <RoyK> digs: try to disable the firewall if you have any
[18:50] <sarnold> digs: anything useful in dmesg?
[18:53] <digs> Just double checked, no.
[18:55] <digs> By all documentatin and 20 some posts found by my searches, this configuration should work.
[18:55] <DeltaHeavy> File permissions?
[18:55] <DeltaHeavy> Do you have acl on?
[18:56] <histo> digs: is it possible that some new feature in 14.04 vsfpd version vs 12.04 isn't supported in the config?
[18:56] <digs> histo: Yes, there are some differences, but these particular configuration parameters match and vsftpd doesn't complain about any of them.
[18:57] <digs> DeltaHeavy - no acl, and file permissions are valid.
[18:57] <digs> I was going to try making a 777 dir just to see and I forgot. let me try that.
[18:57] <histo> digs: yeah start there and see
[18:58] <digs> same issue.
[19:01] <histo> digs: try a default config
[19:03] <RoyK> digs: pastebin iptables -vnL ; ip6tables -vnL
[19:03] <digs> It starts the file transfer, get's to 100% in filezilla, then hangs for about 20 seconds and filezilla pops up asking if I want to overwrite or resume the transfer and the filezilla log looks like this: http://codepad.org/9BioM0HK
[19:03] <digs> I changed the ip.
[19:04] <RoyK> digs: filezilla has issues - does it work with something like ncftp?
[19:04] <histo> RoyK: how would it be firewall if it starts the transfer
[19:05] <RoyK> digs: nice ip addres btw
[19:05] <digs> fw: http://codepad.org/8bM7IdFX
[19:05] <RoyK> histo: probably not, just asking
[19:05] <RoyK> digs: well, that's wide open
[19:06]  * histo suspects client
[19:06] <digs> client works fine on 14.04 - and it is a popular client, if I can't get it to work with filezilla, the server side is useless.
[19:07] <digs> for grins, I will try another.
[19:11] <digs> okay, now I am baffled. It worked on the other client with a .txt file. I tried the same file with filezilla. it works. I tried a pdf... it works. I tried the same file I have been trying... a favicon.ico ... it fails. Tried a .png, it works.
[19:11] <digs> it fails .ico files on both clients. wtf.
[19:12] <digs> I have been stabbing this thing for over an hour.
[19:12] <patdk-wk> digs you have a firewall anywhere?
[19:12] <digs> I have a cisco fw on-site. I can check the IPS logs.
[19:13] <patdk-wk> make sure the port range it uses for passive mode ftp is open
[19:13] <patdk-wk> you might only have it partially open
[19:13] <digs> simpler, I can exclude myself in the ACL from the traffic forward to ips.
[19:14] <patdk-wk> what ftp server is it?
[19:14] <digs> vsftpd
[19:15] <digs> son of a _ it was the cisco IPS blocking the .ico file extension. grrr.
[19:16] <digs> Thanks for oiling my gears guy. shezz.
[19:16] <digs> guys*
[19:16] <digs> only reason I tried a .txt file was because I was too lazy to go find the .ico in the other ftp client :D
[19:18] <digs> no I have to reconfigure this the IPS to chill out, at least for a few LAN ips.
[19:24] <RoyK> digs: blocking .ico files is rather paranoid ;)
[19:25] <patdk-wk> they are nothing but issue :)
[19:27] <hushnowquietnow> Did the .ico files work on the 14.04 server?
[20:10] <digs> RoyK - I agree... I am not sure why it blocks them... yet.
[20:12] <RoyK> digs: guess it's about the possibility of embedding source code in pictures so that the javascript interpreter could accidentially run a script inside a image, but then, they'd have to block all image files, which would take the internet back to 1993 or so ;)
[20:40] <smoser> $ sudo lxc-create -t download -n f -- --list
[20:40] <smoser> Setting up the GPG keyring
[20:40] <smoser> hang
[20:40] <smoser> stgraber, hallyn ^
[20:40] <smoser> i suspect that that hang is gpg waiting for random data
[20:40] <smoser> that is never going to come to it
[20:40] <smoser> is that true ?
[20:41] <hallyn> smoser: seems plausible
[20:41] <smoser> :-(
[20:41] <hallyn> create some randomness :)
[20:41] <hallyn> smoser: you could do --no-validate
[20:42] <hallyn> not sure if that will eschew the gpg keyring creation altogether or not
[20:42] <hallyn> if not, it should
[20:42] <smoser> bah
[20:42] <smoser> no. its looking for download key from a keyserver
[20:42] <smoser> :-(
[20:43] <smoser> why wasnt that delivered for me withthe package
[20:46] <stgraber> smoser: because we want to be able to revoke the key easily if the server is corrupted and not wait for distros to update their package in that case
[20:46] <stgraber> we use a pretty big gpg keyserver network though and have it setup so that it works over http proxies though and attempts to fetch the key 3 times
[20:47] <stgraber> so it's pretty rare to be in an environment where fetching the key won't work but fetching the index and image afterwards will
[20:53] <smoser> stgraber, and how would you revoke that key?
[20:53] <smoser> you'd believe that some user is more likely to update their upstream tarball than get a key id from you?
[20:53] <smoser> and i disagree that its "pretty rare" to be in such an environment
[20:54] <smoser> many environments have network access only through http_proxy
[20:54] <smoser> how is it any different to deliver a keyid than to deliver the key ?
[20:54] <smoser> gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 0xBAEFF88C22F6E216
[20:54] <smoser> bah
[20:55] <smoser> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1338781
[20:55] <smoser> i honestly dont understand how that is any different.
[20:56] <ochiottes> hey
[20:56] <ochiottes> i just found that syslog has no entries for the past 5 weeks
[20:57] <ochiottes> how do i check if it's running and how would i turn it on again?
[20:58] <stgraber> smoser: if we need to revoke the key, we push the revocation to the key network and we're done, that will immediately prevent anyone from getting content signed by the compromised key, without having to rely on the distros updating lxc
[20:59] <stgraber> smoser: switching to a new key will then require distros to update LXC to include the new keyid but at least during that time, lxc will refuse to create containers with images signed by a compromised key (which would be essentially remote code execution on all machines using the template)
[21:00] <smoser> well, i'm not entirely convinced.
[21:01] <smoser> and less convinced that depending on a uncommon protocol delivered from a service that is not all that reliable is a good solution.
[21:05] <stgraber> well, I've carefuly chosen that specific network, protocol and port combination specifically because it works through http proxies. I've got multiple servers using the download template on very restricted networks with gpg and https traffic happily going through a proxy, you're the first one to report a problem with that, so I'm wondering what's special with your setup...
[21:07] <stgraber> smoser: actually, looking at the code, it looks like http_proxy isn't set in your environment
[21:07] <stgraber> smoser: otherwise the template would have used hkp://p80.pool.sks-keyservers.net:80
[21:10] <byte> n8
[21:10] <smoser> stgraber, you are correct.
[21:10] <smoser> i didnt get http_proxy set.
[21:10] <patdk-wk> isn't that replayable?
[21:10] <smoser> annoying that it doesnt pass through sudo in this case.
[21:11] <patdk-wk> by mtim
[21:11] <patdk-wk> mitm
[21:11] <stgraber> ah yeah, sudo is a bit annoying for that...
[21:12] <smoser> but you're still dependent on this arbitrary 3rd party web service
[21:12] <smoser> why not just wget https://linuxcontainers.org/the-key and use that ?
[21:16] <stgraber> we don't depend specifically on that service, the GPG network is replicated between services so you can use any valid keyserver you want. I also thought it'd be a better practice not to have our key revokation procedure depend on the same server that's hosting the rest of the files (since it'd be likely both would be compromised at the same time, being on the same physical box)
[21:17] <stgraber> pool.sks-keyservers.net is made of over 20 servers, reachable over ipv4 and ipv6 around the world, so I think it's reliable enough
[21:19] <stgraber> patdk-wk: you are correct, the keyserver protocol can be man-in-the-middled and so if you get your hands on our private gpg key and our https certificate (or get access to the web server), you can then MITM the gpg keyserver and the images server to feed bad images to a client
[21:20] <stgraber> patdk-wk: which seems reasonably difficult (though not impossible). And this would be for a very targeted attack, not for the widespread distribution of compromised images (which was our main focus there)
[21:20] <hallyn> niemeyer: hey - is there anyone in particular who'd be good to ask about relationships/dependencies between golang packages in trusty?
[21:27] <niemeyer> hallyn: I'm happy to talk about it, but I'm not a good person to explain it.. my preference was always for a more monolithic approach, but we've inherited that design from Debian, which surely follows more closely what the policy says
[21:27] <smoser> stgraber, i dont knwo how reliable it is.
[21:28] <smoser> i'm fairly sure i've seen it down.
[21:28] <smoser> but you've now inserted something into the critical path that was previously utilized very occasionally
[21:29] <smoser> ie, compare the number of times you've gpg --import-keypair to the number of times you've 'apt-get install'  or 'apt-get update'
[21:32] <hallyn> niemeyer: in order to sru docker.io we need a few golang packages updated.  I've opened bugs for those, but am wondering whether they in turn should trigger any others.  bugs are:
[21:33] <hallyn> bug 1338759, bug 1338769, bug 1338772, bug 1338775  (and two more to come when rharper opens them)
[21:33] <hallyn> niemeyer: they all built/installed fine as they were, and none listed any versioned deps that weren't being met in trusty,
[21:33] <hallyn> but i just wanted to make sure.
[21:34] <VioByte> Anyone know how to get Ubuntu 12.04 to allow support for lookups to LDAP with a username that contains a dot/period instead of returning "id: user.name: No such user" Or is this not doable for some retarded reason?   Normal ldap user lookups work fine except for the dotted ones.
[21:34] <niemeyer> hallyn: These are all third-party packages which I'm not familiar with
[21:34] <hallyn> niemeyer: ok, thanks
[21:35] <hallyn> niemeyer: if they're not core to go anyway then all the better :)  i didn't want to break builds of juju or something
[21:36] <niemeyer> hallyn: Yeah, two of them are part of Gorilla, which is a bunch of helpers on top of Go's http package
[21:38] <hallyn> i dont' see any packaged version of that ?
[21:39] <niemeyer> hallyn: These are the packages
[21:39] <niemeyer> hallyn: https://github.com/gorilla
[21:45] <hallyn> yeah that should be fine (since it's coming from git)
[22:45] <VioByte> Anyone know how to get Ubuntu 12.04 to allow support for lookups to LDAP with a username that contains a dot/period instead of returning "id: user.name: No such user" Or is this not doable for some retarded reason?   Normal ldap user lookups work fine except for the dotted ones.