/srv/irclogs.ubuntu.com/2014/12/03/#ubuntu-server.txt

=== Metacity is now known as ChewToyOfFailvil
=== ChewToyOfFailvil is now known as Metacity
=== markthomas is now known as markthomas\|away
=== bilde2910\|away is now known as bilde2910
acmehandle	How do I go about updating my openssl?	02:50
acmehandle	I have version 1.0.1f and I should have version 1.0.1g	02:51
sarnold	acmehandle: sudo apt-get update && sudo apt-get -u upgrade	02:51
acmehandle	Hhhm, I ran update. This is a fresh install.	02:51
sarnold	acmehandle: check that the version that is installed matches the most recent release http://www.ubuntu.com/usn/usn-2385-1/	02:52
acmehandle	Yeah, '0 upgraded'	02:52
sarnold	acmehandle: you can check the version with dpkg -l openssl 'libssl*'	02:53
acmehandle	Yeah, it says 1.0.1f	02:54
acmehandle	Which is a January release	02:55
acmehandle	First thing I did when I started this vps was upgrade	02:55
sarnold	oh I'm sorry, I forgot dpkg -l cuts off the version numbers. sigh.	02:55
acmehandle	update then upgrade rather	02:55
sarnold	acmehandle: dpkg -l openssl 'libssl*' \| cat	02:55
sarnold	the pointless \|cat means output isn't a terminal, so it won't truncate the vresion numbers. look for the 1.0.1f-1ubuntu2.7 or whatever...	02:56
Patrickdk	or just do a apt-get install openssl libssl	02:56
Patrickdk	and it will force it	02:56
acmehandle	Right, it all says 1.0.1f	02:56
sarnold	acmehandle: that's not the part that matters.	02:56
acmehandle	oh	02:57
sarnold	acmehandle: the part that matters is _after_ the hyphen	02:57
Patrickdk	but openssl website says he needs g or h :)	02:57
acmehandle	-1ubuntu2.7	02:57
Patrickdk	your fine	02:57
sarnold	acmehandle: yay :) you've got hte most recent	02:57
acmehandle	What Patrick said. :/	02:57
acmehandle	So why does openssl says g	02:58
teward	acmehandle: the OpenSSL website may say that you need g or h, but the security patches to fix those vulnerabilities have already been applied to 1.0.1f-1ubuntu2.7	02:58
acmehandle	Ah, I see.	02:58
teward	acmehandle: openssl upstream will always recommend to use the latest release to get all the bug fixes	02:58
sarnold	acmehandle: because they think everyone downloads openssl source and recompiles it all the time, when in reality, almost no one compiles their own openssl, because that's how you get regressions :)	02:59
teward	but the security team takes the upstream patch commits and applies them to the older revisions (like 1.0.1f) and patches the vulnerabilities, in accordance with security triage procedures.	02:59
teward	and what sarnold says.	02:59
teward	acmehandle: but rest assured, so long as the full version string (1.0.1f-1ubuntu2.7) is installed, you're fine, as it has those patches	02:59
sarnold	I mean, I'm glad for the folks who do run upstream openssl, because someone has to find the regressions :)	02:59
sarnold	.. same as I'm glad someone runs linus's -rc kernels :)	03:00
Patrickdk	the only upstream that maintains stuff, is bash :)	03:01
sarnold	Chet was amazing during the whole shellshocked thing.	03:03
=== Metacity is now known as DiedN0AsAlways
=== DiedN0AsAlways is now known as DiedNight0AsAlwa
=== DiedNight0AsAlwa is now known as Metacity
teward	sarnold: indeed.	03:04
teward	Patrickdk: heheh	03:05
Patrickdk	hey, it made life easy for me to backport that crap to debian v4	03:05
teward	urgh, debian 4...	03:12
teward	makes me glad I use Ubuntu, I don't have to deal with massive version changes from one release to another, as much...	03:13
Patrickdk	well, not my fault	03:13
Patrickdk	company I contract for, bought another company	03:13
teward	heh	03:13
Patrickdk	they where working on a new product (fully deployed on 13.10? why? not lts?)	03:13
Patrickdk	and the old system that was in, self-manage mode, was left from years ago, on debian4	03:14
teward	Patrickdk: at least you aren't having to take 14.04 patches and taking them back to Hardy, or god forbid Dapper, versions	03:14
* teward had a case where he had to do that :/		03:14
sarnold	Patrickdk: zounds...	03:14
Patrickdk	I took over maintance a month	03:14
Patrickdk	and hadn't even learned where everything was yet	03:14
Patrickdk	teward, I had already backported around 30 things to trusty, 2months before it was released	03:15
teward	Patrickdk: tell me about it, during the Trusty dev cycle I was already backporting entire packages to Precise just for my own needs, let alone nitpicking security patches	03:15
Patrickdk	no, I mean, to trusty, before release	03:16
Patrickdk	to precise, ya, still doing that	03:16
Patrickdk	I have dropped support for lucid though	03:16
Patrickdk	half my stuff is on trusty	03:16
Patrickdk	the other half, is likely never to upgrade, but will be replaced	03:16
Patrickdk	or run in parrallel, till precise dies	03:17
teward	Patrickdk: funny story: when i took over the nginx PPAs, it was around 12.04 that I took over almost exclusively, and the first thing I did was drop all Lucid support - that was causing headaches upon headaches for me... and I had bad experiences with the interim dev releases so I just started sticking to LTSes	03:17
teward	makes life easier on production systems, sticking to the LTSes	03:17
teward	(so long as you backport software where necessary to support the applications you have to run)	03:18
Patrickdk	why must the rhel installer be so annoying compared to ubuntu	03:21
teward	+1	03:22
acmehandle	Any advice where I should point the 'root' path on my server? I often hear that /var/www/ is not a good place	03:27
Patrickdk	and I always thought it was /root	03:29
sarnold	Patrickdk: lol	03:29
sarnold	acmehandle: what's wrong with an htdocs of /var/www/?	03:29
Patrickdk	it depends on a crapload of things	03:29
Patrickdk	nothing to do with not a good place :)	03:29
acmehandle	The great thing about the internet is that anyone can be an admin.	03:30
Patrickdk	it is as good a place as any other, depending on how you configure your server	03:30
acmehandle	sarnold: I honestly dont know. For django framework I hear one thing,	03:30
acmehandle	for rails I hear another.	03:30
acmehandle	when talking to apache its another.	03:30
Patrickdk	that is cause they all have their own defaults	03:30
Patrickdk	just adjust it, and make sure you maintain proper security	03:31
Patrickdk	though, with django/rails/...	03:31
Patrickdk	they will be working as fastcgi likely	03:31
Patrickdk	so they don't even have to even care	03:31
Patrickdk	as long as you direct the aliases for their static content, correctly	03:31
Patrickdk	they could even be on totally seperate servers, as far as apache cares	03:32
sarnold	acmehandle: aha. :) there's a fair amount of cargo-culting in some of those communities. It might not hurt to ask "why?" when something seems arbitrary :)	03:33
Patrickdk	:)	03:34
acmehandle	Right, the 'why' is where I have to remember to put on an asbestos suit	03:34
Patrickdk	normally the answer is, cause you have to change it so many times!	03:34
sarnold	sometimes yes :) hehe	03:34
sarnold	I'm a grumpy old grouch so I don't much care one way or the other, hehe :)	03:35
acmehandle	I'm admining my own vps webserver. So honestly I dont care. I'm going to experiment with nginx this time around and hopefully experiment with django and rails	03:35
acmehandle	and some javascript	03:35
acmehandle	I personally dont even care about nginx or apache for that matter, but from what I gather so far if I want to do any kind of web sockety stuff I need nginx	03:36
acmehandle	But I thought there were some kind of genuine security concerns the way everyone makes it sound about /var/www/ or wherever.	03:36
sarnold	acmehandle: I found nginx easier to configure than apache; I've never pushed either one far enough to worry about their performance	03:38
sarnold	acmehandle: I really don't like the debian style of having the apache or nginx process owned by user www-data --- the name encourages people to set the owner of their web contents to www-data. But you don't want the web server to have write access to anything, beyond its log files and maybe a database / fcgi socket ...	03:39
sarnold	acmehandle: I wish the web server ran with a username like www-exec or www-prog or something that didn't scream "chown all your files to me"	03:40
teward	sarnold: and, in the case of dynamic PHP apps like forums, the forums' cache folder, is sometimes ok to write to.	03:40
acmehandle	Yes, thus far thats what I hear quite often. Only thing that bothers me is I spent time on figuring out the proper settings I need for apache on one vps and somehow by magic all my settings were rolled back. So now I'm in the process of transfering to another vps and am starting from scratch, so to speak. At least this vps runs ubuntu 14 whereas the other one was 10.04.	03:41
sarnold	teward: ahh, yes, I always forget about php. (It's not like I _try_, I just don't think of it often. :)	03:41
sarnold	acmehandle: yikes and yikes :)	03:41
sarnold	acmehandle: that can sometimes happen when they've got some helper frontend like cpanel or whatever. blech.	03:41
acmehandle	sarnold: with regards to www-data. Isnt it user: apache if compiled from source?	03:42
sarnold	acmehandle: or httpd or something, yeah	03:43
sarnold	acmehandle: this is a failing in debian policy, a failing ubuntu has inherited.	03:44
acmehandle	Ah right.	03:44
acmehandle	The thing that bothers me mostly about nginx is its thin license.	03:46
acmehandle	I get this sense like they can yank the public license at any time	03:47
acmehandle	then all those big fancy lovely websites running on nginx would be the only ones who could afford nginx	03:47
Patrickdk	heh?	03:48
Patrickdk	why would that matter?	03:48
Patrickdk	the older releases would still be available	03:48
Patrickdk	and can be forked	03:48
sarnold	a great many projects have contributor license agreements that allow relicensing to e.g. BSD or MIT -- which amounts to much the same thing	03:52
grendal_prime	I got docmgr up and working but it will not index word documents	05:37
faraway	hi, I installed ruby2.0 on my 12.04 server using the brightbox but currently those a keep back from upgrade as there seems a dep issue „ruby2.0 : Depends: ruby (>= 1:1.9.3.1)“ is anyone here also using brightbox?	06:56
=== Lcawte\|Away is now known as Lcawte
lordievader	Good morning.	08:18
adac	ubuntu saves the data in: /var/lib/postgresql/9.3/main what exactly happens when there comes postgres version 9.4?	09:45
adac	would then change the data directory too?	09:45
=== zz_DenBeiren is now known as DenBeiren
pmatulis	morning	12:19
lordievader	Hey pmatulis, how are you doing?	12:21
pmatulis	lordievader: tired, i need some ginseng	12:30
lordievader	Not coffee?	12:39
ObrienDave	coffee 1st	12:47
=== ihre is now known as ihre`bnc
=== ihre`bnc is now known as ihre
=== TonyL is now known as Guest41932
=== Lcawte is now known as Lcawte\|Away
=== Lcawte\|Away is now known as Lcawte
=== Guest41932 is now known as TonyL
K4k	Is there a way in apt to set an alternate mirror for a repository should the primary one be unavailable for some reason? What I'm trying to do is force clients to use our internal package repo when onsite but still be able to get updates offsite since the internal mirror will not be facing outside the firewall.	15:37
jpds	K4k: Yep, just have another 'deb' line for the repo in sources.list.	15:37
jpds	K4k: apt ignores the things it can't get to.	15:38
K4k	Is there a way to set a priority on the deb entries or does it just pick the one that's listed in the file first?	15:38
jpds	K4k: It takes what it can.	15:38
K4k	For example, could I use two different sources.list.d files with 01-internal and then 02-external as the source file names?	15:38
genii	!pinning	15:38
ubottu	pinning is an advanced feature that APT can use to prefer particular packages over others. See https://help.ubuntu.com/community/PinningHowto	15:38
K4k	genii: thanks!	15:39
genii	K4k: Yer welcome :)	15:39
jpds	K4k: Pinning is something different.	15:41
jpds	K4k: If the repos have the same packages, it doesn't matter.	15:42
genii	jpds: It's usual usage is to freeze a file at a particular version or to only use one from a particular repository. But it is more flexible than people think.	15:42
=== MeltedDed is now known as MeltedLux
K4k	jpds: yeah, was just reading that... it can set priority but doesn't look like you can pin priority based on repo, only per package.	15:43
jpds	K4k: Another thing you can do is a DNS hijack.	15:43
K4k	Would have to be on the client side using dnsmasq... which sounds ugly and error pron	15:44
jpds	K4k: Have like; gb.archive.u.c go to an internal IP as opposed to the real one.	15:44
jpds	What's wrong with dnsmasq?	15:44
K4k	Having to muck with DNS resolution client side just seems like a bad idea to me	15:44
jpds	Well, It Works.	15:45
K4k	How would I do that anyway. I would need some sort of conditional based on their interface IP?	15:45
jrwren	does apt-cacher-ng help achieve your goal?	15:46
jpds	apt-cacher-ng is so unreliable.	15:46
jpds	squid-deb-proxy++	15:46
K4k	Was looking at approx, apt-cacher-ng and apt-proxy(?) and none of them seem to do what I need the way I need to do it. They all do some part of it though	15:47
jpds	K4k: You tell dnsmasq: if you see a request for; archive.ubuntu.com, give it this A record -> 10.0.0.2, etc.	15:48
jpds	Where that A record is your internal mirror.	15:48
K4k	and when they're not on the internal network, how would it fall back to using the actual archive.ubuntu.com address?	15:48
jpds	K4k: Yes.	15:49
jpds	K4k: You set that on your LAN's DNS server.	15:49
jpds	K4k: Nothing special on the clients.	15:49
K4k	I don't have control over the LAN DNS unfortunately :(	15:49
K4k	Well... let me rephrase that	15:49
K4k	It's a windows DNS server. I'm not sure if it can do that	15:50
genii	Hm. Conceivably you could just have a post-up directive for the ethernet adapter which decides where it's connected, and sets the Dir::Etc::sourcelist "sources.list"; variable to something appropriate	15:50
jrwren	if only upstart had a network-changed event you could toggle between sources.list files using it.	15:50
jrwren	what genii said.	15:51
jrwren	I forgot about post-up	15:51
K4k	some sort of client side resolution timeout would be all I'd need really. `if archive.ubuntu.com; then go 10.0.0.2; redirect after 30s back to archive.ubuntu.com proper`	15:52
K4k	but I'll investigate all of these possibilities. They all sound good.	15:52
genii	K4k: Apologies for not properly understanding your original question, had to go back up and carefully read it first :)	15:55
jpds	K4k: Could you do a transparent proxy on the LAN?	15:55
K4k	jpds: I don't think so, not easily.	15:56
NigeyS	afternoon :)	15:57
NigeyS	can anyone recommend a way to get a file from server1 to server2 using scp as root without hardcoding the password into the script that runs it?	15:59
jpds	NigeyS: SSH key.	15:59
K4k	pubkeyauth?	15:59
jpds	NigeyS: And whatever you do, use a forced command: http://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/	16:00
NigeyS	jpds we use ssh keys currently .. if i use ssh key via a bash script, and it prompts for a password does that interrupt the script at all ? .. trying to scp apache configs to server2 after creating them on server 1 but dont want to use a hardcoded password in the script, or paswordless ssh keys, work will fire me for that !	16:01
jpds	NigeyS: The SSH key has a passphrase?	16:01
NigeyS	no, not by default on AWS instances, if i enable it it enables passwords for all users right ?	16:02
jpds	NigeyS: You're talking about two different things.	16:03
NigeyS	oh sorry see what you mean, keyphrase on the key itself	16:03
K4k	NigeyS: for that purpose I typically use Git, actually	16:03
jpds	NigeyS: If the key has no passphrase, it shouldn't prompt for one in the script.	16:03
NigeyS	currently it doesnt no, i could add that to server 2's ubuntu user, but how do i sudo to get that file in /etc/apache2 within the script ?	16:03
K4k	you can do the transfer with a non-root user and then use a git-hook to put the file from the local git repo in to the web directory using root locally on the system	16:04
NigeyS	oh, thats something i havent heard of before	16:04
NigeyS	i guess the other option is to put configs in a dir that doesnt require root access	16:05
* jpds wonders why system1 should be poking with server2's apache config.		16:05
K4k	Others may have a different opinion on that but that's how I manage all of my websites so that I don't have to deal with sftp or scp when I update site content	16:05
NigeyS	jpds cluster of web servers, configs have to be kept in sync	16:05
K4k	or you could configure ACLs for limited access to the directory by an unprivileged user	16:05
jpds	NigeyS: Well, use something like Puppet for that.	16:05
K4k	^^^	16:06
NigeyS	cant have test.com exist on server1, and not server2 as theyre load balanced.	16:06
K4k	puppet	16:06
jpds	NigeyS: Puppet, Chef, salt, ansible, are all built for this kind of thing.	16:06
NigeyS	thats a bit overkill for something thats only going to happen a few times amonth at the most.	16:06
jpds	Your life will be a happier place than having root run around with shell scripts.	16:07
NigeyS	thats a fair point	16:07
NigeyS	ideally i like the config on the nfs mount and they dont have to be copied anywhere but dammed if i can find how to tell apache to look there for them, on ubuntu at least.	16:09
K4k	symlink?	16:09
jpds	NigeyS: Yeah, and there's the NFS server dying.	16:09
jpds	NigeyS: And your HA cluster going along with it.	16:09
NigeyS	i really dont want to symlink to nfs for that very reason	16:09
K4k	Just HA all the things	16:09
jpds	Automate all the things.	16:10
NigeyS	so far everything but this is automated :)	16:10
K4k	soooo... then we're back to puppet jpds?	16:10
K4k	:P	16:10
jpds	Why not.	16:10
NigeyS	lol ok! i'll go look at puppet :)	16:10
K4k	If not puppet then, personally, I'd use the git-hooks but even that's kind of iffy	16:10
jpds	NigeyS: And with puppet, you can tweak a lot more than just Apache.	16:11
NigeyS	thats true, i will go read :) thanks for the advice	16:11
=== Xbert is now known as Guest12533
NigeyS	while i'm here, any of you ever had a situation where your gss.d and statd logs were filling up with lines of "y" to the point where it uses 30GB in a few hours ?	16:12
K4k	Is anyone here using foreman? I am working on our package management systems, since we have to re-vamp everything for RHEL7 anyway, and saw that Foreman can manage both Redhat and Ubuntu packages but some material was talking about using Katello as well, is that something that works with Ubuntu or is that soley a RHEL thing?	16:13
K4k	And how do you like foreman if you are using it?	16:14
jpds	I've been meaning to try it but haven't had time to do so yet.	16:15
Ameurux	hi	16:15
Ameurux	anyone know if pxelinux.0 is added on the FIX?	16:16
jpds	Ameurux: FIX?	16:16
Ameurux	it's a bug	16:16
jpds	Which bug?	16:16
Ameurux	pxelinux.0 is missing on 14.10	16:16
jpds	Ameurux: Erm, no.	16:16
jpds	Ameurux: pxelinux.0 is a file you're suppose to create for your PXE server.	16:16
Ameurux	ok, thx, Im just trying to get PXE server working on 14.10	16:17
Ameurux	will give it a try	16:17
Ameurux	thx	16:17
K4k	genii: Looks like post-up.d script will do what I need. I can have it try to resolve the address for our internal mirror and if successful I can set a line in /etc/hosts to re-point archive.ubuntu.com to our internal server	16:17
* jpds really doesn't like the sound of network stuff poking files in /etc.		16:18
K4k	* or set up something in dnsmasq	16:19
jpds	One day you'll wake up and find your /etc/hosts file is empty.	16:20
K4k	heh... yeaaahhhh	16:20
K4k	PUPPET!	16:20
K4k	:P	16:20
NigeyS	Warning: Do not use this module on an existing Apache setup. It will purge any Apache configurations that are not managed by Puppet.	16:23
NigeyS	thats not very good of puppet..lol	16:23
jpds	NigeyS: It is.	16:24
jpds	NigeyS: If it's not managing it, it shouldn't be there.	16:24
NigeyS	but i have already set up and installed apache..	16:24
jpds	It's too avoid config conflicts.	16:25
jpds	NigeyS: Last thing you want is to have "www.test.com" by hand.	16:27
jpds	NigeyS: Then add a vhost in Puppet for "www.test.com".	16:27
jpds	NigeyS: And then Apache dying as there's two configs for that domain.	16:28
NigeyS	yup, there's that !	16:31
K4k	It's fairly straight forward to tell puppet "deploy this config file". Though it is proper to use the Apache modules you can just say "put this file here"	16:33
K4k	If all you're using it for is to deploy a couple of configs to two different systems, that's going to be the path of least resistence to get it working and then you can worry about migrating to the "proper" way later	16:34
jrwren	NigeyS: chown the config files you want to copy to some non-root sentinel account and scp using that?	16:36
jpds	jrwren: ...	16:36
K4k	XD	16:37
jrwren	NigeyS: are you using an ssh-agent?	16:37
K4k	OH! You don't need a puppet server to do what you want. You could put the puppet manifest that manages the config file on an NFS share and then there is a flag for puppet-agent you can use on the client to just read from that "local" manifest file	16:39
K4k	I just remembered that	16:39
=== webwiz is now known as jturek
NigeyS	sorry just got back.. let me read up :)	16:48
NigeyS	jrwren good idea, turns out this script ive been writing doesnt want to work properly anyway lol maybe thats a sign ;)	16:49
NigeyS	anyone care to take a look and see why im getting some funky errors? http://pastebin.com/HL36G0Tp	16:54
NigeyS	./Test2.sh: 10: ./Test2.sh: function: not found	16:54
NigeyS	./Test2.sh: 13: [: =: unexpected operator	16:54
NigeyS	./Test2.sh: 21: [: =: unexpected operator	16:54
patdk-wk	not really	16:57
patdk-wk	but likely cause the script was written in bash and not dash	16:57
NigeyS	well,it works fine without my new $restartapache commands, but theyre just a duplicate of $needdb .. so i dont get why it doesnt work	16:58
jrwren	NigeyS: bash v. dash?	16:58
NigeyS	wouldnt that cause it to not work at all in bash though?	16:59
acmehandle	How can I find out if openssl was built with tls compression enabled?	16:59
jrwren	NigeyS: no. anyway, I think you want function createsite() {.. }	16:59
acmehandle	Sorry if this sounds like a stupid quesiton	16:59
NigeyS	jrwren okies, ill keep fiddling	17:00
NigeyS	jrwren works fine i removed #!/bin/bash by mistake	17:03
=== markthomas\|away is now known as markthomas
jrwren	NigeyS: :)	17:09
NigeyS	but just realised that script will cause apache to fail	17:10
* NigeyS needs more coffee		17:10
patdk-wk	acmehandle why does it matter?	17:11
jpds	NigeyS: http://paste.ubuntu.com/9355999/	17:14
jpds	NigeyS: That was easy.	17:14
NigeyS	jpds legend! lol	17:15
acmehandle	Because I dont want RC4 enabled on my server.	17:15
patdk-wk	what does compression have to do with rc4?	17:15
NigeyS	but theres a few extra things id have to get puppet to do aswell, like insert the user data to the auth database etc	17:15
jpds	NigeyS: Though, I've not tested it, and you'll probably need to load a CGI module.	17:15
NigeyS	acmehandle try openssl version -a	17:15
acmehandle	patdk-wk: it is similar in nature.	17:16
patdk-wk	heh?	17:16
patdk-wk	rc4 is cipher	17:16
patdk-wk	compression is well, compression	17:16
patdk-wk	totally different in nature	17:16
NigeyS	jpds i need to chage that script quite a bit as far as the vhost settings go, we dont use cgi anymore for example, and i dont think all those options work with 2.4	17:16
acmehandle	patdk-wk I'll admit I'm not an expert but: https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what	17:17
patdk-wk	I can understand rc4, it's not very secure anymore	17:17
acmehandle	In the System Administrators section	17:17
K4k	jpds: It looks like dnsmasq, using the -y flag, can select an IP from /etc/hosts for a given hostname that is on the same subnet. That might work for what I was trying to do earlier.	17:17
patdk-wk	acmehandle, yes, but that website is talking about scope	17:18
patdk-wk	the only tls compression attack is crime	17:18
patdk-wk	and that requires you to send repeated data at the start of the session	17:18
patdk-wk	it doesn't apply to openvpn	17:18
RoyK	hi all. I have a wee problem here, not really related to ubuntu server, but I hoe it's not too offtopic. I login to this host, call it A, and I run xfreerdp from there and to a windows server on a closed-off network	17:19
RoyK	now, xfreerdp and xquartz aren't good friends, so it the keyboard doesn't work. I can't use rdesktop, since the windows servers require crypto not supported by rdesktop. I don't have a linux machine here atm, so wonder if it's possible to do this with some ssh tunnel magick	17:20
RoyK	the host A is heavily firewalled and only answers to 22/tcp. From there on, it's fairly open	17:21
patdk-wk	sure as long as they didn't disable ssh tunnels/forwarding	17:22
RoyK	patdk-wk: I didn't :P	17:23
patdk-wk	it's common for me to disable those now :)	17:23
patdk-wk	had too many people abusing them	17:23
RoyK	patdk-wk: not many have access to this box	17:23
patdk-wk	I had some users passwords get compromised	17:24
patdk-wk	and the new owners, used ssh to portforward and attack other systems	17:24
RoyK	patdk-wk: it requires both key and password, so it's a bit hard that way	17:24
RoyK	patdk-wk: and company policy is to require password protected keys	17:24
jrwren	RoyK: ssh -n -N -L 3389:windows-server:3389 A ; remote desktop to localhost	17:29
patdk-wk	if you use remmina, it has an option under ssh to do it for you :)	17:32
=== guampa_ is now known as guampa
grendal_prime	ok soooo after i got this thing up and running and everything seems to be working right, I transfered the vm to the production server and although it seems to be up and working correctly i cant log into the web interface.	17:43
grendal_prime	ip address is differnt, is there something i need to change ...listening address or such on the alfresco server?	17:43
hadifarnoud	I have never setup an email server. can someone see this tutorial and tell me how I should setup outgoing server on my Mail client? http://www.krizna.com/ubuntu/setup-mail-server-ubuntu-14-04/	18:24
hadifarnoud	I used standard default setting (port 25 with password auth)	18:24
grendal_prime	ok...dont know why but it just...started working	18:26
bekks	hadifarnoud: USe this one: https://help.ubuntu.com/community/Postfix	18:26
grendal_prime	is it possible to connect this to an existing filer? Whe have a samba based cifs server that already has a bunch of document on it.	18:27
jamespage	tyhicks, kirkland: have you seen this bug ? https://bugs.launchpad.net/ecryptfs/+bug/1328689	18:27
uvirtbot	Launchpad bug 1328689 in ecryptfs-utils "ecryptfs-utils does not work with Ubuntu 14.04.1" [Undecided,Confirmed]	18:27
tyhicks	jamespage: I've seen the bug report but haven't had a chance to look into it	18:32
hadifarnoud	bekks: my postfix config for smpt is "submission inet n - - - - smtpd"	18:33
hadifarnoud	not sure what "chroot" is for but it is not set to "n"	18:33
hadifarnoud	what is starttls in postfix? right at the end of this tutorial, there is an example conf for mail client. I have no option for "STARTTLS" on OSX Mail.	18:46
teward	hadifarnoud: might be 'SSL/TLS' or just 'TLS'	18:47
teward	(at least in OSX mail)	18:47
hadifarnoud	teward: I've got 'Use SSL' next to port and 'TLS (External client certificate)' in authentication.	18:49
hadifarnoud	bit confused. that means I have to provide a certificate to OSX Mail?	18:49
patdk-wk	no idea	18:51
patdk-wk	funky osx	18:51
hadifarnoud	teward: also, there is an option for TLS certificate.	18:51
hadifarnoud	bloody OSX Mail	18:51
hadifarnoud	I guess SSL check box next to port is sort of TLS.	18:52
hadifarnoud	fault might be with my server setup	18:52
tyhicks	kirkland: re: bug #1328689> When running the adduser --encrypt-home command, it proceeds to try to mount the home directory before prompting for the user's password	19:06
uvirtbot	Launchpad bug 1328689 in ecryptfs-utils "ecryptfs-utils does not work with Ubuntu 14.04.1" [Undecided,Confirmed] https://launchpad.net/bugs/1328689	19:06
tyhicks	kirkland: so a valid auth tok obviously isn't in the kernel keyring yet	19:07
hadifarnoud	seems like my sever blocks connection from other IPs. I get this error in syslog "SSL_accept error from unknown[31.159.97.167]:"	19:09
=== Lcawte is now known as Lcawte\|Away
abrams	hello :)	19:35
pmatulis	hello there	19:35
abrams	guy's I have a problem with Unity desktop	19:36
abrams	i can't find resolution	19:36
pmatulis	abrams: try #ubuntu , this is the channel for ubuntu server	19:36
pmatulis	see topic ↑	19:36
abrams	When I try to drag and drop icon from unity to desktop	19:36
NigeyS	anyone know if i put an IncludeOptional into apache2.conf and it points to vhost configs, do i still have to run them through a2ensite?	19:37
abrams	ok	19:37
abrams	sory :)	19:37
pmatulis	abrams: is ok	19:37
=== markthomas is now known as markthomas\|away
=== markthomas\|away is now known as markthomas
=== bilde2910 is now known as bilde2910\|away
kully3xf	what's up all. How can I compare many text file's contents in two directories?	21:32
kully3xf	diff -r dir1 dir2?	21:33
kully3xf	will that compare the file's contents or just if the file exists	21:33
elliotd123	anyone know if there's software out there that can basically let me run proccesses with the GPU instead of the onboard CPU?	21:51
genii	Probably the closest thing would be anything compiled using CUDA, but you'd also need an NVidia for that	21:57
elliotd123	that's ok, so I'm not familiar with CUDA, is that a compiler?	21:59
genii	elliotd123: It's a parallel-processing library from NVidia. It uses the cores of their GPUs	22:02
genii	elliotd123: If an app is compiled from source with CUDA enabled, it will use the NVidia card to run them on.	22:02
elliotd123	Sounds intriguing. I'll look into that. Thanks, genii	22:03
=== Lcawte\|Away is now known as Lcawte
acmehandle	Is there a difference if I install something using just apt-get versus something from ppa?	22:19
acmehandle	I often see suggestions to install someting using PPA and I am wondering how necessary that might be	22:20
Patrickdk	it is the same thing	22:20
Patrickdk	just ppa normally means, not maintained by ubuntu	22:20
genii	Some PPA are more trusted than others, like for instance xorg-edgers	22:21
Patrickdk	I trust my ppa a lot	22:21
mapleton	I have a problem with Bind9.8 and Samba4(latest git) on Ubuntu Server 12.04.5LTS. I'm trying to get DNS_DLZ working. The DNS server was starting without the dynamic zones, and doing lookups fine, but integrated it hasn't started; AppArmor is throwing a permissions error on /usr/local/samba/private/dns/sam.ldb (just wants r.) I see the line for that file in /etc/apparmor.d/local/usr.sbin.named (named is the bind user accoun	22:21
TechIsCool	how do I give a different user access to a single file	22:22
TechIsCool	I still need to allow the access to the file from the origingal group and user	22:22
Patrickdk	make a new group	22:23
Patrickdk	enable and use acl's?	22:23
=== MeltedLux is now known as MeltedDed
sarnold	mapleton: you were cut off at "bind user accoun"	22:32
sarnold	mapleton: if you have a line /usr/local/samba/private/dns/sam.ldb r, in your /etc/apparmor.d/local/usr.sbin.named file and your main /etc/apparmor.d/usr.sbin.named file has an #include <local/usr.sbin.named> line, then you just need to reload the profile; apparmor_parser --replace /etc/apparmor.d/usr.sbin.named should do it	22:33
mapleton	thanks, sorry.	22:33
mapleton	was basically complete.. gonna give that a shot	22:33
mapleton	okay... got a little further. "could not create /var/run/named/session.key" I'm guessing its a permissions issue, since I'm no longer running bind as the default. The samba wiki mentions (for the zone files) to chown named:named and chmod 640. Does that apply here?	22:45
=== bilde2910\|away is now known as bilde2910
sarnold	mapleton: sorry, dunno there; it could be apparmor again.	22:46
sarnold	mapleton: check again for more DENIED lines in dmesg	22:46
mapleton	No Apparmor DENIED now, just a couple of permission errors, both in that directory. Is it safe to add the chown and chmod 640 permission to /var/run/named/?	22:53
sarnold	mapleton: it's probably safe	22:53
sarnold	.. I'm not an expert on either one, but some user account has to own them, and it could either be bind or samba, depending upon how they are modified..	22:54
mapleton	one more thing, I guess: how do I find the current ownership and permissions stats of a file	22:54
sarnold	mapleton: ls -l is the easiest	22:54
sarnold	mapleton: stat /path/to/filename can also show you	22:55
keithzg_	Hrmmm, does postfix filter relay recipients only during an actual connection to the relay?	22:55
mapleton	many thanks for your help, btw.. sarnold.. its my second day on ubuntu	22:56
sarnold	mapleton: welcome aboard :)	22:56
* keithzg_ is seeing a server just deferring mail to addresses that in theory should be filtered out by our relay_recipients		22:56
sarnold	mapleton: could you file a bug against apparmor (ubuntu-bug apparmor) once you've gotten it sorted? we may want to add the rules you needed to the default profile	22:57
mapleton	will do, thanks	22:57
mapleton	although I do feel a bit of a 'computer user, non-technical' so was thinking its more user error than anything ;)	22:59
sarnold	mapleton: hehe, not a bad first instinct, but it could be the others who have done this setup before you didn't report bugs either, hehe :)	23:02
=== Lcawte is now known as Lcawte\|Away
mapleton	screw it... chmod 666 -r /	23:08
sarnold	hehe	23:10
mapleton	okay.. I've exhausted the troubleshooting steps I could guess at. I even added (and reset) the directory to apparmor (** rwk) in case... "Could not open '/var/run/named/named.pid',"could not create /var/run/named/session.key" I used stat, and not entirely sure I know what I'm looking for, but its chmod is 664	23:23
mapleton	I changed ownership to named. I assume the error "named[1913]" means thats the executable context (the daemon named)	23:25
sarnold	mapleton: correct, the 'named' comes from the process's "comm" field (first 16 bytes) and the 1913 is the pid of the process	23:28
mapleton	chown -r named /var/run/named did it. one more error, but hey.. probably similar	23:31
=== jvwjgames_ is now known as jvwjgames

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!