/srv/irclogs.ubuntu.com/2015/02/05/#ubuntu-server.txt

zottaI want to execute a conversion program on data uploaded to a website. However the converter is known to have security issues all the time.00:17
zottaIs there a way to run such a program in a sandbox?00:17
zottaBasically I want to restrict reading files to one input file and writing to one output file, prevent network access and limit execution time and ram00:17
sarnoldzotta: you can wrap the converter in an apparmor profile00:21
Patrickdkwell, if you combine apparmor and ulimit will do most of that00:21
Patrickdkbut never looked at limiting network access00:21
sarnoldapparmor can deny network access, "deny network," ought to do the trick -- but that might also forbid e.g. unix sockets if that's how the web server drives it, hehe00:22
jjohansensarnold: sure but you can allow unix sockets, and just not allow network00:23
jjohansensince its default deny, network will be denied00:24
sarnoldhey jjohansen :)00:24
jjohansenhey sarnold00:24
zottaDoes it support whitelist for file read access?00:26
sarnoldzotta: yes00:26
sarnoldzotta: for example, here's my irssi (irc client) profile: http://paste.ubuntu.com/10062642/00:26
zottaSounds great. I will up on it.00:27
sarnoldhmm, that could use some slight improvements...00:27
sarnoldbut I hope it helps convey the flavour of apparmor profiles :)00:27
zotta:) thx00:28
=== morenoh151 is now known as morenoh149
PatrickdkI had to adjust my apparmour profile today :(02:00
Patrickdkusers couldn't send email02:00
jjohansenPatrickdk: what was the message that was logged?02:01
jjohansen  dmesg | grep DENIED02:01
jjohansenor02:01
jjohansen  grep DENIED /var/log/syslog02:01
Patrickdkheh?02:01
Patrickdkthe message that was logged was, denied x to /usr/sbin/sendmail02:02
Patrickdkas, by normal sanity, there is nothing in /usr/sbin a user needs, except sendmail aparently02:03
sarnoldyou let your users send email? how decadent :)02:04
Patrickdksarnold, heh, it's been like this for years, first time someone had a problem02:05
sarnold:)02:05
Patrickdkcalling sendmail is such a hack though02:05
jjohansenPatrickdk: so since we don't supply a send mail profile I would recommend going with either02:05
jjohansen  /usr/bin/sendmail  ix,02:05
jjohansenor02:05
jjohansen  /usr/bin/sendmail pix,02:05
Patrickdkwouldn't work02:06
Patrickdk/usr/sbin/sendmail ix02:06
Patrickdkis what I used02:06
Patrickdkit then required, /usr/sbin/postdrop ix02:06
jjohansenoh fun02:06
Patrickdkname="/usr/sbin/sendmail" pid=10663 comm="mailx" requested_mask="x" denied_mask="x"02:08
PatrickdkI just have a huge profile I wrote, that gives the users exactly what they need and nothing else02:09
Patrickdkthen I locked it to bash and dash02:10
Patrickdkworks really well02:10
jjohansennice02:10
Patrickdkusers start with bash shell, and can't change it02:10
Patrickdkhmm, only 133 lines :)02:11
PatrickdkI saw apache suexec got apparmor support :) that is nice02:12
PatrickdkI had patched mine a long time ago with it, works well there too02:12
jjohansenoh nice, I didn't know that suexec had apparmor support, /me will have to look at what they are doing. apparmor does have the mod_apparmor apache plugin that allows profiles to be set based off of urls etc02:14
jjohansenbut the suexec change is new to me02:15
Patrickdkoh, maybe it was mod_apparmor02:15
PatrickdkI know it could use hatchange in apache02:15
Patrickdkand suexec would be affected02:15
Patrickdkmaybe it wasn't directly in suexec02:15
jjohansenah maybe still worth looking into02:17
=== zz_DenBeiren is now known as DenBeiren
=== Guest81467 is now known as rcj
=== TDog_ is now known as TDog
grendal_primeyou know this seems stupid..like i should know this, but isnt it possible to send all traffic destined for an fqdn to a local ip.... i mean without setting the hosts file on the client?04:12
grendal_primei have a dns server but i only want to do this with...like port 80 traffic04:13
grendal_primeya so this is whack04:55
grendal_primeit seems like if i set that in the hosts file of my ubuntu router, it should just route things to there.05:08
grendal_primebut that is not working05:08
lordievaderGood mornining06:24
sarnoldgrendal_prime: hunt around for a "transparent proxy howto", it'll have iptables rules that you can use to redirect traffic as you wish06:24
grendal_primeya thats how i usually do this..but that does not seem to be working06:25
grendal_primei cant figure out what the heck is going on actually06:25
grendal_primei have used haproxy to do this as well..but its werid..its like my ip tables changes are not taking effect.06:27
grendal_primesarnold, i actually like the haproxy approach for what im doing, cause i can subdomain the web requests...and well also the xmpp i think.07:00
grendal_primewell...maybe not on those.07:00
grendal_primewell actually it looks like ya thats doable07:01
grendal_primethe proxy works from outside..but..hmm i think this is an issue with the router/firewall between my router/firewall and the wall.07:03
grendal_primethis is getting very frustrating.  The domain does not resolve to that internal ip and, hmm07:03
=== kickinz1|afk is now known as kickinz1
grendal_primethis is fn crazy07:41
grendal_primei just...grrrrrr07:41
grendal_primeI have access to the dhcp server..i have access to the dns server...i cant make the internal machines go to something inside instead of outside the network?07:42
grendal_primeits just nuts07:42
=== Lcawte|Away is now known as Lcawte
=== Guest1167 is now known as hxm
=== mthaddon` is now known as mthaddon
=== kickinz1 is now known as kickinz1|afk
=== DenBeiren is now known as zz_DenBeiren
=== kickinz1|afk is now known as kickinz1
=== kickinz1 is now known as kickinz1|afk
=== FunguyFawx is now known as MycoFox
=== martins-afk is now known as martinst
=== kickinz1|afk is now known as kickinz1
=== Lcawte is now known as Lcawte|Away
=== blanoz is now known as Blanoz
=== martinst is now known as martins-afk
Anteacim got aids13:09
Anteacjust now13:09
Anteacfrom serverpilot13:09
alias_neoHi guys, I'm trying to get the hw_random working in my xeon on ubuntu server, I'm struggling to get it to work properly, anybody got experience with it? I cant seem to get the intel kernel module to load and /dev/hwrng doesn't show up unless i start virtio-rng13:24
=== Lcawte|Away is now known as Lcawte
alias_neoIs 19GiB/s plausible for urandom if it's not using hwrng?13:32
alias_neorngtest: input channel speed: (min=2.161; avg=169.892; max=19073.486)Mibits/s13:33
alias_neoor is that a red herring?13:33
patdk-wkhwrng has nothing to do with urandom14:00
patdk-wkurandom is based purely on your cpu bandwidth14:01
jrwrenalias_neo: remember: http://www.2uo.de/myths-about-urandom/14:06
alias_neojrwren thanks14:08
jrwrenalias_neo: afaik, kernel will use RDRAND if the instruction is available.14:10
alias_neomy rngtest bandwidth doesn't seeem to suggest I'm using the hwrand capability of my Xeon14:12
alias_neorngd doesn't see it, modprobe-ing intel-rng doesn't work (no such device)14:12
alias_neoI'd like to be able to pass the hardware rng through to my kvm guests, because my IPA server for example on F21 is running out of entropy all the time14:15
alias_neocrap, now my ubuntu server has dropped my ssh connection and won't reconnect14:18
=== Lcawte is now known as Lcawte|Away
=== matsubara is now known as matsubara-lunch
=== Lcawte|Away is now known as Lcawte
=== Lcawte is now known as Lcawte|Away
=== kickinz1 is now known as kickinz1|afk
jsmith-argotechi all16:13
jsmith-argotechow would I figure out the exact versions of each library dependency that would be installed with a package from the 12.04.00 without installing 12..04 from original media and installing the package?16:15
pmatulisjsmith-argotec: is this what you're looking for?  http://paste.ubuntu.com/10075458/16:18
pmatulisjsmith-argotec: ah, without installing 12.0416:18
pmatulisjsmith-argotec: probably a few ways but i think the easiest is to create an LXC container and doing the above16:20
jsmith-argotecpmatulis: hmm ok ty16:24
jsmith-argotecI'm having a problem with my pacemaker cluster software after the server was rebooted.  One direction I'm going down is that a security update to a library may have caused an incompatiblity with the package16:25
jsmith-argotecdifferent question - what should I look for in an strace to help look in the right direction?16:25
pmatulisjsmith-argotec: it would depend on the problem.  w/o specifics it's hard to help16:26
jsmith-argotecok I'm getting "corosync [IPC ] Invalid IPC credentials" error when I start pacemaker followed by "attrd: [28829]: ERROR: main: HA Signon failed"16:27
jsmith-argotecpmatulis: corosync communications are working and both nodes are members.  When I start pacemaker I get those ^^^ errors16:28
ivoksjsmith-argotec: er16:29
jsmith-argotecpmatulis: what started it was the node was fenced. after reboot it wouldn't rejoin and had these errors.  I found it had booted with an incorrect kernel which I correct but still getting the same errors16:29
jsmith-argotecivoks: hi!16:29
ivoksjsmith-argotec: check package version of pacemaker and liblrmd16:29
jsmith-argotecivoks: I was wondering if its the same issue that was just SRU'd in trusty and up16:30
jsmith-argotecivoks: ... no liblrmd installed...16:30
ivoksliblrmd116:30
ivoksor something16:30
ivoksdpkg -l | grep liblrmd16:30
ivoksdpkg -l | grep pacemaker16:30
jsmith-argotecgot it16:30
sarthorHi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please.16:30
ivoksversion should be exactly the same16:31
jsmith-argotecnot even close16:31
jsmith-argotec1.1.6-2ubuntu3 for pacemaker, 1.0.8-2ubuntu6 for liblrm216:31
ivoksuh, that's an old version16:31
jsmith-argotecon 12.0416:31
jsmith-argotecprecise16:31
ivoksliblrmd16:31
ivoksnot liblrm16:31
jsmith-argotecdpkg -l | grep liblr16:32
jsmith-argotecii  liblrm2                              1.0.8-2ubuntu6                    Reusable cluster libraries -- liblrm216:32
jsmith-argotecthat's all I have16:32
ivoksi don't remember how it was in 12.0416:32
sarthorsarthor:16:33
jsmith-argotecivoks: not available for install via apt-get either16:33
pmatulis1.0.8-2ubuntu6 is correct on 12.0416:33
jsmith-argotecaccording to showpkg dependecies lists liblrm2 not liblrmd16:34
pmatulisbut pacemaker is 1.1.6-2ubuntu3.316:34
ivoksthat's fine16:34
ivoksliblrm is not from pacemaker source16:34
ivoksit's from cluster-glue16:34
jsmith-argotecpmatulis: yes thats the latest but I was running 1.1.6-2ubuntu3 when I had issues. tried upgrading which didn't help16:35
pmatulisoh16:35
ivoksdid you just upgrade pacemaker or did you do dist-upgrade?16:35
jsmith-argotecand downgraded back just in cast16:35
jsmith-argoteccase16:35
jsmith-argotecjust pacemaker16:35
pmatulisso problems with both versions?16:36
jsmith-argotecbut I have upgrade some libraries along the way from security etc16:36
jsmith-argotecpmatulis: yes16:36
ivokssee if dist-upgrade will install something in addition16:36
jsmith-argotecand I put other working node in maintenance and restarted the services there and now it's exhibiting the same errors16:37
pmatulisjsmith-argotec: did you ever reboot successfully on any version?16:37
jsmith-argotecpmatulis: yes I have a reboot/successful rejoin from Decemeber16:37
pmatulisjsmith-argotec: and you rebooted again, w/o changing anything and you have problems?16:38
=== martins-afk is now known as martinst
pmatulisjsmith-argotec: and then you tried fixing by upgrading stuff?16:38
jsmith-argotecivoks: theres over 300 packages that would update... dont really want to update all of them16:38
ivokstry upgrading cluster-glue, if available16:39
jsmith-argotecpmatulis: node was fenced so it rebooted, then it didn't work.  There had been (at least) one package installed between.16:39
jsmith-argotecpmatulis: it booted with a newer kernel also which I reverted and also uninstalled everything from the last package install.  Still not working so I tried the upgrade16:39
jsmith-argotecivoks: nothing new for cluster-glue16:40
ivoksi doubt that16:40
ivoksi bet on user error :)16:40
jsmith-argotecdoubt what... nothing new for cluster-glue/16:41
jsmith-argotec?16:41
ivoksare you starting pacemaker as a service or is corosync starting it?16:41
jsmith-argotecI start corosync manually and then pacemaker manually (plugin ver 1)16:42
jsmith-argotecas a service16:42
jsmith-argotecfor history these 2 nodes have been running stable in production (failed over a few times as designed) for over 18 months16:43
ivoksmount | grep shm16:43
jsmith-argotecivoks: it's on tmpfs:  none on /run/shm type tmpfs (rw,nosuid,nodev)16:43
jsmith-argotecwhich is correct I believe?16:43
ivoksyes16:44
ivoksand /var/run/crm exists?16:44
jsmith-argotecin the strace there was something about libgpg-error right around the time of the HA signon error in the logs... is that something?16:44
sarthorHi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please.16:44
ivoksis /var/run also tmpfs?16:45
jsmith-argotec run is... tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)16:46
jsmith-argotecnone on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)16:46
jsmith-argotecnone on /run/shm type tmpfs (rw,nosuid,nodev)16:46
ivoks /var/run16:46
jsmith-argotecdon't see /var/run16:46
jsmith-argotec /var/run -> /run16:46
ivoksdo you have /var/run/crm?16:46
jsmith-argotecand run is on tmpfs16:46
=== collizio1 is now known as collizion
jsmith-argotecyes16:47
jsutherlandOur next server is likely going to be a Dell R730 or HP DL380 Gen9. Both run best with either Dell or HP branded SAS drives. What limitations would I run into if I use generic Seagate SAS drives?16:47
ivoksjsmith-argotec: and permissons on stuff in /var/run/crm look ok?16:48
jsmith-argotecumm no.. hang on16:48
jsmith-argotecall should be hacluster:haclient right?16:48
ivoksdo you have another cluster running on the same network?16:49
jsmith-argotecno16:49
jsmith-argotecuhh wait16:49
jsmith-argotecmaybe16:49
ivoksquite possible, i'd say16:49
ivoksand you didn't set authkey16:49
ivoksor change the multicast port16:50
jsmith-argoteclet me check that!16:50
jsmith-argotecivoks: yes there are two 2 node clusters... wasn't thinking about the other set the other admin setup.16:56
ivoksalways use authkey in corosync16:57
jsmith-argotecbut.. both have secauth on, authkey created, both have 2 rings on 2 seperate redundant nics (2 direct connect, 2 LAN), and all 4 are different mcast addresses16:57
ivoksalways.16:57
ivoksyou need to change mcast port16:57
jsmith-argotecso each cluster needs to use a different port at least on the common LAN even if different mcast addresses?16:58
ivokswhich mcast addresses do you use?16:59
jsmith-argotecisn't that particular to corosync communications not pacemaker or am I way off?  'cause both nodes are members of the coro rings16:59
ivoksboth?16:59
ivoksyou have only two nodes?16:59
jsmith-argotecone cluster: mcastaddr: 226.94.1.1, mcastaddr: 239.192.0.1.  second cluster: 239.198.10.1,  239.199.20.1, all port 540517:00
jsmith-argotecyes only 2 nodes in each cluster, 2 clusters17:00
ivokser17:01
ivoksdifferent mcast addresses on different nodes in the same cluster?17:01
jsmith-argotecI can pastebin the corosync.conf if you like?17:01
ivokssure17:01
ivoksoh, those are different rings17:02
* ivoks is around for next few minutes, and then I'm out of here17:03
jsmith-argotechttp://paste.ubuntu.com/10076093/17:03
ivokshttp://manpages.ubuntu.com/manpages/saucy/man5/votequorum.5.html17:05
jsmith-argotecthis is the config from the 2 nodes that are having the issue17:05
ivoksSPECIAL FEATURES17:05
ivokstwo_node: 117:05
jsmith-argotecivoks: but it has been working fine for months... or was that just dumb luck?17:08
ivoksit works while there's no distruption17:10
ivoksor if you reboot both at the same time17:10
ivoksif you reboot one by one, all kinds of things can happen17:11
ivoksi'm not sure that's the cause of your problem, but for start, your configuration is missing this important bit17:11
jsmith-argotecOK will correct that one17:11
sarthorHi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please.17:29
=== matsubara-lunch is now known as matsubara
hallynjdstrand: hm.  well, the thing is, the libvirt-qemu file ends in '}', so appending a rule doesn't suffice :)  i wonder why it worked in the karmic case.17:43
hallyni guess i'll just sed the file first...17:44
hallynwait, that's messed up18:04
hallynheh, mea culpa18:06
jdstrandhallyn: actually, it would suffice cause the '}' corresponds to the 'profile qemu_bridge_helper {' child profile18:24
jdstrandhallyn: (however, karmic didn't have that child profile)18:24
hallynyeah;  so i'm trying ot figure out why it's still not working18:26
jdstrandhallyn: but if you're adding a rule that is covered by an explicit deny rule, remember that deny rules are evaluated after allow rules, so you may need a sed regardless18:26
hallynmayb ei'll just do /tmp/** rw18:26
hallynoh,18:26
jdstrandyeah18:26
hallyni thought 'deny rules evaluated after allow rules' meant they are subservient18:26
jdstranddeny /tmp/** r,18:26
jdstrand/tmp/** r,18:27
jdstrandthe deny always wins that18:27
hallynnear as i can tell i can't use testlib then18:27
hallynor, i'll just make a backup and then sed to my heart's content, i guess18:27
jdstrandhallyn: you can-- just not with append18:27
jdstrandhallyn: read in the contents, remove the deny rules, add your rule, then replace the file without appending18:27
hallynthat seems more complicated18:28
jdstrandtestlib should support what I just mentioned18:28
* hallyn looks18:28
jdstrandit is, but it means you can simply use a _restore() in the tearDown18:28
hallyni can still do that if i make the backup using testlib._bakcup18:29
jdstrandhallyn: _update_config in test-libvirt.py does basically what I said18:30
jdstrandhallyn: it could be much simpler for your case, but it is there for inspiration18:30
hallynjdstrand: ok, thanks18:31
jdstrandnp18:31
hallyni'd thought this would be a quick fix, but i'm messing it up at each attempt :)  there's still another but to fix before we can release, sigh18:31
=== Lcawte|Away is now known as Lcawte
=== elliotd123_ is now known as elliotd123
jsmith-argotecivoks: I made the quorum change and both members rejoined.  Still getting the same error though20:36
dtscodehey guys... i followed this https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts but when i get to sudo a2ensite ts3.dtscode.io it says ERROR: Site ts3.dtscode.io does not exist! how can i fix this?22:41
justizinis it just me, or does trusty not have add-apt-repository? *looks confused*22:52
justizini mean, i guess i can add it manually, it just seems like a lot of trouble has been gone to to make this simple..22:53
justizinapt-cache search add-apt-repository also comes up empty for me22:53
sarnolddtscode: did you name your config file with a .conf file extension? I think that's required22:55
sarnoldjustizin: it's in the software-properties-common package22:56
dtscodesarnold, thanks :D that did it22:56
justizininteresting.. i guess i have typically gotten that by installing python-software-properties, but it now installs python3-software-properties22:56
justizini'll try to remember software-properties-common :)22:56
justizinalso i guess the official ubuntu vagrant virtualbox image doesn't have it, not sure if it's expected to be present.22:57
justizinkind of seems like it makes sense to be, but i'm sure there was some long arcane e-mail flamewar that resulted in this decision. ;d22:57
sarnoldI suspect the truth is less interesting than you suspect :) hehe22:57
justizinsarnold: likely. :)22:59
justizinbtw tks sarnold!23:10
sarnoldyou're welcome justizin :)23:11
arcskyhello i have some ubuntu servers at work. i wonder if there are any good mangment tool for upgrade and maintain all the servers23:35
sarnoldarcsky: many; landscape, ansible, puppet, chef, cfengine (ancient)23:40
=== a1berto_ is now known as a1berto

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!