[00:05] :) [00:11] folks is it secure to use apt-get install as root? [00:12] funta: is it secure to run `sudo apt-get update` or `sudo apt-get install` as a non-root user with sudo access? [00:12] hmmm [00:12] yes [00:12] funta: the bigger security question is "Is it secure to use the root user instead of a non-root user" [00:13] (this is why `sudo` actually exists) [00:13] use means operate via putty? [00:13] for example [00:13] mhm [00:13] if I set root login to no password and using key only? [00:13] is thats fine? [00:13] *that [00:13] you missed my point [00:13] yes [00:13] as it not obvious to me [00:14] when I install stuff as root something is not good? [00:14] funta: is it safe to use the root user irregardless of authentication requirements in place of a non-root, unprivileged user, who can sometimes run some commands using `sudo` [00:14] yes [00:14] seems so [00:14] funta: `apt-get install` will only run with superuser access and work, i.e. `sudo apt-get install` or just `apt-get install` as root. That answers your initial question. I would suggest DISABLING the root user, though, and just use `sudo` from a user with sudo access [00:15] ok so totally disable root? [00:16] when use apt-get where does it install stuff it compiles? /usr something? [00:16] if its usr/bin all users can access [00:18] lol i am using windows mostly yet I understand linux too [00:20] ok sudo usermod -p '!' root ? [00:20] thats the one? [00:26] ok [00:26] done [00:27] is there some easy way to propagate existing server to new one? [00:27] like ruby setup, some apps === apb_ is now known as apb1963 === igurd is now known as Guest79210 === Sachiru_ is now known as Sachiru === markthomas|away is now known as markthomas [06:22] Good morning. === thresh_ is now known as thresh [08:44] thanks for whoever pushed the updated ubuntu amis to ec2. [08:44] although bash in there lacks the Recent Fixes [08:45] 4.3-7ubuntu1.3 vs 4.3-7ubuntu1.4, but I guess will be updated as well? === Lcawte|Away is now known as Lcawte === Lcawte is now known as Lcawte|Away [09:48] jamespage: please could you subscribe ~ubuntu-server to src:bcache-tools? [09:49] rbasak, done [09:49] Ta! [11:03] morning === Lcawte|Away is now known as Lcawte [11:21] Hi everyone i want to redierct http to https and if some one access in mysite.com it want to forward to www.mysite.com this both want to be done for my domain but i have done the mysite.com to www.mysite.com but i cant redirect my http to https if i enable the virtual host redirect rule for http to https page not getting loaded. im using apache2 in ubuntu server 14.04LTS here is my virtualhost entry in pastebin http://paste.ubuntu.com/8454609/ [11:22] jpds_: any news on bug 1330504 please? [11:22] Launchpad bug 1330504 in strongswan "strongSwan 5.1.3" [High,Confirmed] https://launchpad.net/bugs/1330504 [11:23] rbasak: Got held up by other things last week. [11:23] rbasak: But I've not forgotten about it. === Lcawte is now known as Lcawte|Away [12:24] is it possible to reunt a trusty upgrade ? [12:24] something went wrong [12:24] *rerun [12:30] YamakasY, what went wrong? [12:30] !details | YamakasY, [12:30] YamakasY,: Please elaborate; your question or issue may not seem clear or detailed enough for people to help you. Please give more detailed information, errors, steps, and possibly configuration files (use the !pastebin to avoid flooding the channel) === Lcawte|Away is now known as Lcawte [12:34] coreycb, zul: so all of the oslo updates we did last week are blocked by bug 1371620 [12:34] Launchpad bug 1371620 in keystone "Setting up database schema with db_sync fails in migration 039 (SQLITE)" [Medium,Fix committed] https://launchpad.net/bugs/1371620 [12:34] needs a pick of this patch: https://github.com/openstack/keystone/commit/7dfccb705ac9c0cbcd7394bf37b356d84dbaa0ba.patch [12:37] zul, I'm assuming you are re-working the flex package based on cjwatsons feedback right? [12:38] jamespage: yes and yes [12:38] zul, are you dealing with keystone as well or do you need coreycb or I to parallize that for you? [12:39] that was bad spelling [12:39] YamakasY, normally, rerun, is just to do apt-get dist-upgrade [12:40] jamespage: get corey to do that please, more packaging familarily for him would be awesome [12:41] coreycb, you OK todo that? I can review and sponsor; also we need to re-enable the keystone test suite [12:43] jamespage: i was looking at the keystone test suite on friday we need to sync python-pysaml2 from debian and MIR it [12:43] coreycb: ^^^ [12:44] zul, is it just pysaml2? [12:44] jamespage: i believe so [12:55] coreycb, zul: pysaml2 would also require MIR's of: [12:55] * python-repoze.who binary and source package is in universe [12:55] * xmlsec1 binary and source package is in universe [12:56] jamespage: ok maybe we can get away with it [12:56] zul, its only a test-requirement [12:56] jamespage: right...lets see if we can skip the tests then [12:56] zul, so we could skip those tests for this cycle, and MIR early next [12:56] jamespage: +1 [12:56] zul, lets make that upstreamable - like qpid in oslo.messaging [12:57] jamespage: ok want me to do it? [12:57] zul, thinking [12:57] zul, no - leave it for corey or me - you focus on flex [12:57] k [13:25] "Bismillah writes Google security researcher Michael 'lcamtuf' Zalewski says he's discovered a new remote code execution vulnerability in the Bash parser (CVE-2014-6278) that is essentially equivalent to the original Shellshock bug, and trival to exploit." [13:25] mdev: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278) [13:25] anyone looking into this? [13:26] coreycb, whilst my test env rebuilds, taking a look at keystone [13:28] hazmat, waiting on a release team ack for https://bugs.launchpad.net/ubuntu/+source/websocket-client/+bug/1374335 [13:29] Launchpad bug 1374335 in websocket-client "FFe: Sync websocket-client 0.18.0-1 (universe) from Debian unstable (main), juju-deployer 0.4.2, python-jujuclient 0.18.4" [Medium,New] [13:29] jamespage, with regards to https://code.launchpad.net/~gnuoy/nova/bug1314677/+merge/236321 , can point 1 follow shortly or will you block on it? [13:30] gnuoy, as it takes like 30 seconds todo point 1) yes I would block [13:30] ack [13:30] if you do it that way you can just use the patch from the upstream review for your packaging patch and forget about DEp-5 [13:31] jamespage, awesome.. going to do a minor future compatibility fix for jujuclient as their changing some behavior incompatibily in trunk and release (0.18.5) [13:31] lifeless, is there any way to make testr a little more friendly in the event of a missing import somewhere in a test codebase? [13:31] mdev: this update mitigates that CVE: http://www.ubuntu.com/usn/usn-2364-1/ [13:32] lifeless, we hit this quite frequently during dev cycles as new deps are introduced and it would be nice if testr could identify thse [13:37] mdev heh? [13:38] mdev equiv to the origional? it's a stack issue, and the linking lib doesn't allow it to do any harm, other than to yourself [13:38] and the last patch that went in, fixed it so that issue can't be triggered anymore, possible yes, but it's fixed before it gets there now [14:04] jamespage, thanks! [14:06] Quick question - is a question about linaro on-topic here? [14:07] jrgifford: depends on the question I guess. [14:07] jrgifford: there are also the #linaro and #linaro-enterprise channels which might be relevant. [14:07] http://askubuntu.com/questions/530114/upgrading-ubuntu-13-09-to-13-10-for-lts [14:08] I'm trying to figure out where to route that question on stackexchange. [14:08] seems on-topic, but also doesn't seem on-topic. [14:08] Would that question be on-topic *here*? [14:08] (If it was asked here directly) [14:08] I would recommend re-installing rather than upgrading. [14:09] See http://askubuntu.com/questions/91815/how-to-install-software-or-upgrade-from-old-unsupported-release if you have to upgrade though. [14:09] Your issue is that your system appears to be based on Raring, which is EOL. [14:09] Right, but that's not my question ;) [14:09] My question is "Is this a Linaro-specific question, or is it a Ubuntu question?" [14:10] rbasak, looking at the failing DEP-8 mysql-5.6 tests: [14:10] Failing test(s): main.ctype_uca main.mysqlhotcopy_archive main.mysqlhotcopy_myisam [14:10] Technically, it's a Linaro-specific question, since Linaro/13.09 was done outside of Ubuntu. [14:10] I think I fixed the hotcopy ones in mysql-5.5 already [14:10] But we are friendly enough that it doesn't have to matter :) [14:10] rbasak: thanks, that's what I wanted to know. [14:10] they require writable /usr/lib or something [14:11] jamespage: can we punt those upstream? [14:11] jamespage, anything else need work, how about pysaml2? [14:11] rbasak, maybe [14:12] coreycb, I think it would be good to get pysaml2 into universe this cycle - it will still need a FFe for the sync from debian [14:12] coreycb, please feel free to request! [14:12] if it lands we can add it to the suggests of python-keystone [14:12] patdk-wk: did a reinstall [14:13] jamespage, Ok, I'll do that [14:13] coreycb, ta! [14:25] hi, I am having problems with bridge networking from a host (trusty) to the guest (also truty, using virtio the guest does not even detect a link and with other drivers it detects the link but there's no connectivity [14:26] any ideas? [14:26] I am using the same config I have on another hosts [14:33] hazmat, did you get your zmq test cases proposed? [14:37] coreycb, zul: OK _ keystone fixed up [14:38] jamespage: cool [14:38] jamespage, ok - I opened bug 1375289 [14:38] Launchpad bug 1375289 in ubuntu "[FFE] Please sync python-pysaml2 (2.0.0-1) from Debian (unstable)" [Undecided,New] https://launchpad.net/bugs/1375289 [14:38] jamespage: just fixing flex with what i have in my ppa [14:39] coreycb, thanks [14:39] coreycb, "OpenStack Keystone's test suite depends on python-pysaml2." well thats true but thats not why we want it [14:40] we can ignore pysaml2 in the context of the test suite; this is to allow users to feature preview the federation aspect of keystone, without doing another MIR this late in cycle. [14:40] it reflects the amount of testing we have done of it == zero [14:42] jamespage, ok thanks I'll update it [14:42] coreycb, thanks - I'll confirm it once you have :-) [15:02] zul, python-eventlet (>= 0.15.1) [15:02] how important? might take a look [15:03] jamespage: in the requirements repo? [15:03] jamespage: makes me nervous [15:07] zul, indeed - https://github.com/eventlet/eventlet/issues/122 [15:07] 15.1 appears to have some issues [15:07] zul, the bump was only for ironic and paramiko ssh handling [15:08] jamespage: then we should be ok [15:08] adam_g, how critical was the eventlet version bump for ironic? I might try cherry pick the commits we need ontop of 0.13 if its super criticial [15:10] hallyn: so wanna package libvirt 1.2.9? ;) === bladernr_30kFeet is now known as bladernr_ === kickinz1|afk is now known as kickinz1 === Guest13468 is now known as balloons_ [15:26] zul, Just keep in mind that I'll bring my bean-filled whack bonk to the next sprint if you silently drop my patches again. ;-P === kickinz1 is now known as kickinz1|afk === kickinz1|afk is now known as kickinz1 [15:27] smb: too late to merge :) [15:28] Lucky you. :) === kickinz1 is now known as kickinz1|afk === kickinz1|afk is now known as kickinz1 === Lcawte is now known as Lcawte|Away [15:43] coreycb, can you take a look at mterry's feedback on https://bugs.launchpad.net/ubuntu/+source/python-django-pyscss/+bug/1370452 please [15:43] Launchpad bug 1370452 in python-django-pyscss "[MIR] python-django-pyscss, python-pyscss" [High,Fix committed] [15:44] jamespage, yep [15:44] coreycb, thanks [15:47] jamespage, any tips on getting re "unexpected upstream changes" with python-pysnmp2? [15:48] coreycb, hmm [15:48] coreycb, are you working from the branch or from a raw source package? [15:49] jamespage, lp:debian/python-pysnmp2 [15:49] coreycb, I'm not seeing that [15:50] jamespage, hmm [15:54] Anyone know if the current Trusty bash is immune to CVE-2014-6277 and CVE-2014-6278? The Ubuntu web pages I can find say no. Redhat says they are already patched for those. [15:54] Delemas: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277) [15:54] Delemas: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278) [15:55] Basically I'm wondering if this also applies to the existing bash patches Ubuntu is using: "Yes, that is one of the CVEs that Red Hat builds are already immune to, by virtue of moving the function exports out of the regular variable namespace." === matsubara is now known as matsubara-lunch [15:59] Delemas: http://paste.ubuntu.com/8459566/ [15:59] jamespage, pull-debian-source FTW! === kickinz1 is now known as kickinz1|afk [16:06] RoyK: Those are listing the other three CVEs which I know are patched... [16:06] Does anyone know if new EC2 AMIs will be created for http://www.ubuntu.com/usn/usn-2364-1/ ? [16:07] Delemas: erm - how many others are there? [16:07] There are two which I referenced which I'm trying to figure out whether we are already immune. [16:08] This shows them as needs-triage/needed but I'm not sure if they are accurate: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6277.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6278.html [16:08] Delemas: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277) [16:08] * RoyK somewhat reflects over the fact that the pronunciation of 'bash' is similar to the norweigan 'bæsj', meaning 'feces' :P [16:09] Delemas: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278) [16:11] Think I just answered my own question. Both are mitigated by existing patches. It is weird those pages say they are already fixed but then list status as needs-triage and needed. === Lcawte|Away is now known as Lcawte === niemeyer_ is now known as niemeyer === matsubara-lunch is now known as matsubara [17:40] jamespage, it was pretty high, this was the bug that prompted it: https://bugs.launchpad.net/ironic/+bug/1321787 [17:40] Launchpad bug 1321787 in python-eventlet "Paramiko does not properly work with eventlet concurrency" [Undecided,Confirmed] [17:41] jamespage, this was the patch that fixed it, https://github.com/eventlet/eventlet/commit/da87716714689894f23d0db7b003f26d97031e83 tho i think a subsequent patch may be required as well === cmagina_ is now known as cmagina === Lcawte is now known as Lcawte|Away [19:34] Dows anyone know where I can find the MD5 for ubuntu-14.04.1-server-i386.iso ? [19:35] genii: http://cdimage.ubuntu.com/releases/14.04.1/release/SHA256SUMS and .gpg === balloons_ is now known as balloons [19:35] sarnold: Thanks [19:35] genii: and MD5SUMS if you really want those :) === balloons is now known as Guest63150 === Guest63150 is now known as balloons_ [19:36] sarnold: i386 is not listed there [19:37] genii: interesting, I hadn't even noticed that the i386 images aren't there... [19:39] jamespage: yes, its awaiting review in http://bugs.python.org/issue19746 [19:39] jamespage: right now the behaviour you should be seeing is the failed imports listed [19:40] jamespage: that patch will make it possible to show the actual exception as well === Lcawte|Away is now known as Lcawte [20:00] where does 14.04 keep it's motd information? i have a custom motd i would like displayed on login [20:01] bastidrazor: see update-motd(5) for details [20:02] sarnold: nice. i knew it had been moved a few years back. thanks [20:03] Bah, from 3 different i386 images now I'm getting same error of "could not open builtin file '/lib/modules/3.13.0-32-generic/modules.builtin.bin'" . [20:08] hi I am using ubuntu 14.04. Have a question on 'tc' utility, could it rate limit at millisecond range, like 50kb per 10ms ? thx [20:10] rostam: probably not. [20:11] sarnold, is there a good source of info on tc I can read other than man pages... [20:12] rostam: http://lartc.org/lartc.html#LARTC.QDISC [20:12] rostam: good luck :) [20:12] sarnold, thanks so much. === jhenke_ is now known as jhenke [20:15] Hm, I've got identical symptoms as bug 1371386 [20:15] Launchpad bug 1371386 in linux-meta-lts-trusty "No loop block dev support on trusty server install 3.13.0.32" [Undecided,New] https://launchpad.net/bugs/1371386 [20:18] lifeless, awesome === bilde2910 is now known as bilde2910|away [20:19] jamespage: what symptoms are you seeing today? it may indicate you have old testr in the archive .. [20:20] lifeless, here's and example - https://launchpadlibrarian.net/184677391/buildlog_ubuntu-utopic-i386.keystone_1%3A2014.2~b3-0ubuntu1_UPLOADING.txt.gz [20:20] 0.0.18 of testrepository right now [20:23] thats two releases stale [20:24] yeah, you'll get much nicer output if you update the testrepository package [20:24] jamespage: that bug was fixed march 3rd [20:34] What are good ways to measure the time taken for a server failover? (eg: 2 Servers with HAProxy LB, when one server goes down, the LB could redirect the connections to the 2nd one) [20:34] 2 servers and one LB* === balloons_ is now known as balloons [20:47] Is shellshock patched in 13.10? I'm not seeing it in the security advisories [20:49] Oh, its already EOL, nevermind [20:49] That was short [20:56] qman__: Was about to say that. 13.10 was the first with a 9 month support period. [21:01] Vendors building images with non-LTS versions are so frustrating [21:05] Down to 26 unpatched servers, 7 of which are ubuntu, all EOL versions [21:11] qman__, not bad, [21:34] Odd. That error I'm having is linked somehow to network discovery. If network setup is skipped the rest of the install goes fine. === Lcawte is now known as Lcawte|Away [22:04] zul: btw i assume you were joking about merging 1.2.9 :) === thumper is now known as thumper-afk [22:28] lifeless, ack - I'll take a look tomorrow [22:29] hallamigo: i was [22:31] hallyn: i was totally serious ;) === thumper-afk is now known as thumper