| Bozza | i need a linux server OS, talk to me | 00:10 |
|---|---|---|
| pmatulis | Bozza: ? | 00:47 |
| === fridayne_ is now known as fridaynext | ||
| bitfury | hello, any known problems with gre tunnels in ubuntu server 14.04? | 01:42 |
| bitfury | I've set up a gre tunnel between an ubuntu server and router, the tunnel comes up but can't ping either end point :\ | 01:43 |
| sarnold | bitfury: I don't recall any complaints recently | 01:43 |
| bitfury | when I ping the remote end point from the ubuntu box, they show up as errors on the tun1 interface | 01:45 |
| sarnold | can you pastebin 'ip link' or 'ip addr' output on both endpoints? perhaps there's something one of could spot | 01:48 |
| bitfury | sure thing, I have a cradlepoint router on one end so I'll try to enable logging. | 01:50 |
| Bozza | selinux is developed by the nsa. while app armour is made by canonical. which is more secure? | 01:51 |
| sarnold | Bozza: you should pick the tool that is better suited for your needs. | 01:51 |
| sarnold | Bozza: if you need a labeled security mechanism then selinux is a better fit. if you want to confine some services or some users or specific programs, you might prefer apparmor. | 01:53 |
| sarnold | Bozza: selinux has had confinement of more resources for longer; apparmor is just now growing confinement for e.g. abstract and unnamed unix sockets. if you need a more comprehensive containment mechanism, selinux may be a better fit. | 01:53 |
| Bozza | is it not kind of sketchy that selinux is developed by the nsa? | 01:54 |
| sarnold | Bozza: I may be biased towards apparmor because I've been working on it for fourteen years :) but I think more users would see more benefit to using apparmor despite the reduced mediation interfaces. I believe apparmor policy is easier to author and easier to understand. | 01:55 |
| Patrickdk | it is | 01:55 |
| Patrickdk | selinux is based on the acl design | 01:55 |
| Patrickdk | and while that is nice | 01:55 |
| Patrickdk | it's not easy to maintain | 01:55 |
| sarnold | Bozza: no. the guys from the NSA who worked on SELinux are charming individuals who honestly believe in information security. they wrote it in part so that the US government would have tools to use for classified information storage and to make other vendors put in some effort to take security seriously. | 01:56 |
| sarnold | Bozza: and of course since the full source of both systems is peer-reviewed before being integrated into the linux kernel, there's enough oversight that backdoors would be immensely difficult to build into either system. | 01:57 |
| Bozza | yea, this sounds like the most reasonable explanation | 01:58 |
| Bozza | this is if you have enough knowledge to read complex kernel code | 01:58 |
| Bozza | surely there are enough people who do review it though | 01:58 |
| sarnold | thankfully the kernel portions of both are overall easier to read than e.g. networking or block storage layers :) | 01:59 |
| Bozza | you actually know the guys at the nsa who wrote it? what are you, gchq? :3 . do you guys get together for tea and discuss security? :) | 02:00 |
| Bozza | selinux by nsa. app armour by gchq .. large range of solutions to choose from | 02:00 |
| sarnold | Bozza: hehe, I don't work for gchq; we worked with them to help define the linux security module interface a dozen years back, so we'd get together at Ottawa Linux Symposium to discuss features, designs, etc. | 02:00 |
| Bozza | just joking :) | 02:00 |
| sarnold | Bozza: rofl | 02:01 |
| Bozza | :D | 02:01 |
| Patrickdk | sarnold is mi5 :) | 02:01 |
| sarnold | Patrickdk: you know people confuse me for daniel craig all the time.. | 02:01 |
| Bozza | hehe | 02:01 |
| sarnold | Bozza: poke around in your /etc/apparmor.d/ directory and see if you find the policy understandable or not; then poke around in the selinux policy on a fedora system... pick whichever one is easier for you to understand and whichever feels like it'd be easier to write your own policy | 02:03 |
| Bozza | thanks for your help sarnold | 02:04 |
| Bozza | yes i will take a look | 02:04 |
| sarnold | Bozza: have fun :) | 02:04 |
| Bozza | hehe | 02:04 |
| Bozza | XD | 02:04 |
| Bozza | i just stumbled upon some articles about people wondering if selinux was an nsa backdoor | 02:05 |
| Bozza | so thought i would ask someone more experienced | 02:05 |
| sarnold | well, I'm just some jerk on the internet :) but selinux was designed by committed people who have a sincere interest in improving security. | 02:05 |
| sarnold | apparmor and selinux may 'compete' in many areas but in that area we are in firm agreement :) | 02:06 |
| Bozza | what does freebsd use? | 02:07 |
| Bozza | just out of interest | 02:07 |
| Bozza | apparmor? | 02:07 |
| Patrickdk | none of them | 02:08 |
| sarnold | the trustedbsd framework is apparently slightly similar to the lsm framework; they have an selinux-workalike, but I do not know if it is used much or not. they don't have apparmor, though it could probably be ported with a month's effort or two... | 02:08 |
| sarnold | as far as I know the only real consumer of the freebsd security framework is apple's "seatbelt" mechanism, which tags downloaded files with the site they were downloaded from, so when they are run, a dialog box can be popped up saying "this was downloaded over the internet" | 02:09 |
| sarnold | .. and apple's ios confinement thing, which looks a lot like apparmor did fourteen years ago... | 02:09 |
| Bozza | yea that dial box can be annoying | 02:11 |
| Bozza | wow you really do know your security code.. | 02:12 |
| Bozza | iOS confinement . one would have thought it would be a bit more modern | 02:12 |
| bitfury | sarnold: sorry I took so long, my computer was acting up.. here's a pastebin: http://pastebin.com/g3yZekfL | 02:12 |
| bitfury | ubuntu server and router as GRE end points | 02:13 |
| sarnold | bitfury: dang, I can't spot anything. I don't know gre well enough :( | 02:15 |
| bitfury | :( | 02:16 |
| bitfury | not sure where or what to look for on the ubuntu box | 02:16 |
| bitfury | tried tcpdump but doesn't work on tun ifaces | 02:17 |
| hallyn | sarnold: isn't it freebsd that has capsicum implemented? | 02:21 |
| sarnold | hallyn: yeah, but I haven't read enough about capsicum :( | 02:22 |
| hallyn | sarnold: there'll be a talk at lss in 1.5 wks :) | 02:22 |
| sarnold | hallyn: hehe :) I'm not headed there though.. | 02:22 |
| Bozza | selinux looks like a PITA to set up properly. might have to go with ubuntu-server when i deploy | 02:25 |
| Bozza | ubuntu has much better support anyway | 02:25 |
| === arrrghhh is now known as arrrghhhAWAY | ||
| lordievader | Good morning. | 07:30 |
| === KM0201_ is now known as KM0201 | ||
| abhishek___ | hello everyone can anyone help ! I want to setup ldap authentication server for 5 lac users.please help me on storage calcultions | 08:24 |
| bekks | abhishek___: You wont need much, you have 5 users only. | 08:28 |
| abhishek___ | actually I was planning to have 500000 users | 08:29 |
| abhishek___ | bekks ar u there ?? | 08:34 |
| bekks | 500k users? :) | 08:35 |
| bekks | Which kind of FC storage are you using, which kind of database, how many cluster servers, etc.? | 08:36 |
| === Lcawte|Away is now known as Lcawte | ||
| abhishek___ | we are using mdb and two culster will be there | 08:43 |
| bekks | Whats "mdb"? | 08:43 |
| abhishek___ | bdb is default in openldap we are using mdb for greater performance | 08:44 |
| bekks | And what about my other questions? And how do you connect the network - 10GbE, fibre or copper, which backbone switches? | 08:45 |
| cfhowlett | bekks, 1 question at a time!? Please :) | 08:45 |
| abhishek___ | 10GbE | 08:45 |
| abhishek___ | fiber | 08:45 |
| bekks | abhishek___: What about my other questions? :) | 08:55 |
| === Lcawte is now known as Lcawte|Away | ||
| === Lcawte|Away is now known as Lcawte | ||
| noob2014 | Good morning from Indiana - I have a noob question - hoping sombody willing to help? | 12:20 |
| lordievader | !ask | noob2014 | 12:21 |
| ubottu | noob2014: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience | 12:21 |
| noob2014 | ok ty | 12:22 |
| noob2014 | I installed Ubuntu LTS on a virtual machine, and then installed XFCE4, but when I try to start I get an error. "No command 'xinit:' found, did you mean: Command 'xinit' from package 'xinit' (main)" was unsure if I needed to install some kind of virtual video driver but i done a search and said to ~$ sudo lspci | grep -e VGA -e 3D 00:02.0 VGA compatible controller: Cirrus Logic GD 5446 | 12:24 |
| noob2014 | so i'm searching and all i keep getting is but reports | 12:25 |
| noob2014 | on google | 12:25 |
| cfhowlett | noob2014, when you try to start ... what? | 12:25 |
| noob2014 | startxfce4 | 12:25 |
| lordievader | noob2014: How did you install xfce? | 12:26 |
| cfhowlett | noob2014, logout. choose xfce session. login | 12:26 |
| noob2014 | sudo apt-get install xfce4 | 12:26 |
| noob2014 | I am using putty to login remote | 12:26 |
| cfhowlett | noob2014, you've got a running unity DE. logout. choose the alternate DE. login | 12:27 |
| noob2014 | i'm not sure how to do that because it's on a virtual machine i'm on windows and login through putty. and i'm noob | 12:28 |
| cfhowlett | noob2014, use the ubuntu machine. Log out. click the ubuntu gear icon. choose xfce session. login | 12:29 |
| noob2014 | no physical access i am trying amazon EC2 - it's free | 12:30 |
| noob2014 | only option is putty | 12:31 |
| lordievader | noob2014: If putty is the only option then why are you trying to install a gui? | 12:32 |
| noob2014 | well i thought it works with gui too | 12:33 |
| * cfhowlett ... | 12:33 | |
| cfhowlett | noob2014, "real servers don't have gui's" or so I've read | 12:34 |
| lordievader | noob2014: No, you can do nasty things like X forwarding. But nasty things are nasty. | 12:35 |
| Patrickdk | if putty is the only option, your just dense | 12:43 |
| Patrickdk | I have used rdp, vnc, nx, and X forwarding, all from ec2 | 12:44 |
| Patrickdk | not cause I needed a server with gui, but because I needed a desktop at amazon | 12:44 |
| wligtenberg | previously, I installed ubuntu server on 12.04 using the procedure listed here: http://askubuntu.com/questions/87241/how-to-install-using-btrfs-in-raid10-mode | 14:42 |
| wligtenberg | I am now trying to follow the same steps, but installation fails at trying to install the grub boot loader. I have tried it even with 5M of free disk space at the front of the disk, but it still fails. Is this grub2, which behaves differently from grub? | 14:43 |
| Patrickdk | defently | 14:44 |
| Patrickdk | but did you actually install grub2? | 14:44 |
| Patrickdk | or is the mbr still installed with grub? | 14:44 |
| Patrickdk | plus, 12.04 has grub2 | 14:45 |
| wligtenberg | 11.10 did that also have grub2? | 14:46 |
| Patrickdk | I don't know | 14:46 |
| wligtenberg | ok | 14:46 |
| wligtenberg | Patrickdk: installation failed, so nothing was installed really... | 14:46 |
| Patrickdk | heh? | 14:48 |
| Patrickdk | you ran grub-install /dev/sd??? | 14:49 |
| Patrickdk | and it failed? | 14:49 |
| Patrickdk | did you format your disks using gpt? | 14:49 |
| wligtenberg | the step in the installation which tries to install the bootloader failed | 14:49 |
| wligtenberg | I tried with partition table MSDOS and GPT, both fail | 14:49 |
| wligtenberg | Maybe I should try what some other guy did, install using ext4 on one disk. Then convert that to btrfs using a live cd and then later add disks and convert to raid1... (using dconvert) | 14:52 |
| TJ- | wligtenberg: when the grub install fails, open a terminal shell and look at the installer logs, they output all the commands run and capture errors reports so you can discover exactly why it failed | 14:56 |
| wligtenberg | Thanks TJ- I will try again and report back with the listed errors | 14:56 |
| FrankBlues | Is there a way to force all users to use the same windowmanager (Ubuntu LTS 14.04.1 with LTSP clients) | 14:57 |
| wligtenberg | @FrankBlues, just don't install any other window managers... | 15:23 |
| wligtenberg | (and prevent user from installing others) | 15:23 |
| * Patrickdk uses xterm for his wm :) | 15:25 | |
| wligtenberg | @TJ- It mentions unable to connect to upstart | 15:40 |
| wligtenberg | and something like Wrong number of args: mapdevfs <path> | 15:40 |
| wligtenberg | seems I have issues similar to: https://bugs.launchpad.net/ubuntu/+source/grub-installer/+bug/912431 | 15:45 |
| uvirtbot | Launchpad bug 912431 in debian-installer-utils "Preseeded 12.04 grub-install failed: Wrong number of args: mapdevfs <path>" [High,Fix released] | 15:45 |
| VectorX | hi, i need to create a secure wb server running nginx and the well LNMP stack so to speak, which would include ssh, ftp, stuff like selinux or apparmour, mail etc, where would i find a good guide with detail explanation ? | 16:10 |
| === kaitanya is now known as caitanya | ||
| === Lcawte is now known as Lcawte|Away | ||
| wligtenberg | I ended up filing a new bug report as requested: https://bugs.launchpad.net/ubuntu/+source/grub-installer/+bug/1354730 | 18:22 |
| uvirtbot | Launchpad bug 1354730 in grub-installer "14.04 grub-install failed: Wrong number of args: mapdevfs <path>" [Undecided,New] | 18:22 |
| === Lcawte|Away is now known as Lcawte | ||
| darksider | hi all | 18:54 |
| darksider | can someone please point me to a program that allows network traffic logging? | 18:54 |
| wligtenberg | wireshark | 18:54 |
| wligtenberg | @darksider: wireshark | 18:55 |
| darksider | thanks guys, taking a look now | 18:55 |
| darksider | wligtenberg: is this a GUI app? | 18:58 |
| wligtenberg | @darksider: yes it is | 18:59 |
| darksider | no good then, its for a server :) | 19:00 |
| wligtenberg | @darksider: http://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html | 19:00 |
| wligtenberg | :) | 19:00 |
| wligtenberg | @darksider: Seriously, I just googled that... | 19:00 |
| darksider | wligtenberg: me too and saw that link, but having command line options doesnt take away the GUI part | 19:02 |
| darksider | wligtenberg: for your future reference http://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html | 19:03 |
| wligtenberg | I was just going to mention that :) | 19:04 |
| wligtenberg | (googled some more) | 19:04 |
| wligtenberg | so tshark should be your friend | 19:04 |
| darksider | let's see - while my server is idle, i get lag spikes | 19:06 |
| === Acilim_A is now known as Acilim | ||
| === Acilim is now known as Acilim_A | ||
| === Lcawte is now known as Lcawte|Away | ||
| Forex | hi folks | 23:48 |
| Forex | who here used those folks http://www.server4you.net/vps/ | 23:48 |
| Patrickdk | !best | 23:50 |
| Patrickdk | most likely, no one | 23:50 |
| Forex | lol | 23:52 |
| Forex | prices seems good | 23:52 |
| darksider | hi guys | 23:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!