zotta | I want to execute a conversion program on data uploaded to a website. However the converter is known to have security issues all the time. | 00:17 |
---|---|---|
zotta | Is there a way to run such a program in a sandbox? | 00:17 |
zotta | Basically I want to restrict reading files to one input file and writing to one output file, prevent network access and limit execution time and ram | 00:17 |
sarnold | zotta: you can wrap the converter in an apparmor profile | 00:21 |
Patrickdk | well, if you combine apparmor and ulimit will do most of that | 00:21 |
Patrickdk | but never looked at limiting network access | 00:21 |
sarnold | apparmor can deny network access, "deny network," ought to do the trick -- but that might also forbid e.g. unix sockets if that's how the web server drives it, hehe | 00:22 |
jjohansen | sarnold: sure but you can allow unix sockets, and just not allow network | 00:23 |
jjohansen | since its default deny, network will be denied | 00:24 |
sarnold | hey jjohansen :) | 00:24 |
jjohansen | hey sarnold | 00:24 |
zotta | Does it support whitelist for file read access? | 00:26 |
sarnold | zotta: yes | 00:26 |
sarnold | zotta: for example, here's my irssi (irc client) profile: http://paste.ubuntu.com/10062642/ | 00:26 |
zotta | Sounds great. I will up on it. | 00:27 |
sarnold | hmm, that could use some slight improvements... | 00:27 |
sarnold | but I hope it helps convey the flavour of apparmor profiles :) | 00:27 |
zotta | :) thx | 00:28 |
=== morenoh151 is now known as morenoh149 | ||
Patrickdk | I had to adjust my apparmour profile today :( | 02:00 |
Patrickdk | users couldn't send email | 02:00 |
jjohansen | Patrickdk: what was the message that was logged? | 02:01 |
jjohansen | dmesg | grep DENIED | 02:01 |
jjohansen | or | 02:01 |
jjohansen | grep DENIED /var/log/syslog | 02:01 |
Patrickdk | heh? | 02:01 |
Patrickdk | the message that was logged was, denied x to /usr/sbin/sendmail | 02:02 |
Patrickdk | as, by normal sanity, there is nothing in /usr/sbin a user needs, except sendmail aparently | 02:03 |
sarnold | you let your users send email? how decadent :) | 02:04 |
Patrickdk | sarnold, heh, it's been like this for years, first time someone had a problem | 02:05 |
sarnold | :) | 02:05 |
Patrickdk | calling sendmail is such a hack though | 02:05 |
jjohansen | Patrickdk: so since we don't supply a send mail profile I would recommend going with either | 02:05 |
jjohansen | /usr/bin/sendmail ix, | 02:05 |
jjohansen | or | 02:05 |
jjohansen | /usr/bin/sendmail pix, | 02:05 |
Patrickdk | wouldn't work | 02:06 |
Patrickdk | /usr/sbin/sendmail ix | 02:06 |
Patrickdk | is what I used | 02:06 |
Patrickdk | it then required, /usr/sbin/postdrop ix | 02:06 |
jjohansen | oh fun | 02:06 |
Patrickdk | name="/usr/sbin/sendmail" pid=10663 comm="mailx" requested_mask="x" denied_mask="x" | 02:08 |
Patrickdk | I just have a huge profile I wrote, that gives the users exactly what they need and nothing else | 02:09 |
Patrickdk | then I locked it to bash and dash | 02:10 |
Patrickdk | works really well | 02:10 |
jjohansen | nice | 02:10 |
Patrickdk | users start with bash shell, and can't change it | 02:10 |
Patrickdk | hmm, only 133 lines :) | 02:11 |
Patrickdk | I saw apache suexec got apparmor support :) that is nice | 02:12 |
Patrickdk | I had patched mine a long time ago with it, works well there too | 02:12 |
jjohansen | oh nice, I didn't know that suexec had apparmor support, /me will have to look at what they are doing. apparmor does have the mod_apparmor apache plugin that allows profiles to be set based off of urls etc | 02:14 |
jjohansen | but the suexec change is new to me | 02:15 |
Patrickdk | oh, maybe it was mod_apparmor | 02:15 |
Patrickdk | I know it could use hatchange in apache | 02:15 |
Patrickdk | and suexec would be affected | 02:15 |
Patrickdk | maybe it wasn't directly in suexec | 02:15 |
jjohansen | ah maybe still worth looking into | 02:17 |
=== zz_DenBeiren is now known as DenBeiren | ||
=== Guest81467 is now known as rcj | ||
=== TDog_ is now known as TDog | ||
grendal_prime | you know this seems stupid..like i should know this, but isnt it possible to send all traffic destined for an fqdn to a local ip.... i mean without setting the hosts file on the client? | 04:12 |
grendal_prime | i have a dns server but i only want to do this with...like port 80 traffic | 04:13 |
grendal_prime | ya so this is whack | 04:55 |
grendal_prime | it seems like if i set that in the hosts file of my ubuntu router, it should just route things to there. | 05:08 |
grendal_prime | but that is not working | 05:08 |
lordievader | Good mornining | 06:24 |
sarnold | grendal_prime: hunt around for a "transparent proxy howto", it'll have iptables rules that you can use to redirect traffic as you wish | 06:24 |
grendal_prime | ya thats how i usually do this..but that does not seem to be working | 06:25 |
grendal_prime | i cant figure out what the heck is going on actually | 06:25 |
grendal_prime | i have used haproxy to do this as well..but its werid..its like my ip tables changes are not taking effect. | 06:27 |
grendal_prime | sarnold, i actually like the haproxy approach for what im doing, cause i can subdomain the web requests...and well also the xmpp i think. | 07:00 |
grendal_prime | well...maybe not on those. | 07:00 |
grendal_prime | well actually it looks like ya thats doable | 07:01 |
grendal_prime | the proxy works from outside..but..hmm i think this is an issue with the router/firewall between my router/firewall and the wall. | 07:03 |
grendal_prime | this is getting very frustrating. The domain does not resolve to that internal ip and, hmm | 07:03 |
=== kickinz1|afk is now known as kickinz1 | ||
grendal_prime | this is fn crazy | 07:41 |
grendal_prime | i just...grrrrrr | 07:41 |
grendal_prime | I have access to the dhcp server..i have access to the dns server...i cant make the internal machines go to something inside instead of outside the network? | 07:42 |
grendal_prime | its just nuts | 07:42 |
=== Lcawte|Away is now known as Lcawte | ||
=== Guest1167 is now known as hxm | ||
=== mthaddon` is now known as mthaddon | ||
=== kickinz1 is now known as kickinz1|afk | ||
=== DenBeiren is now known as zz_DenBeiren | ||
=== kickinz1|afk is now known as kickinz1 | ||
=== kickinz1 is now known as kickinz1|afk | ||
=== FunguyFawx is now known as MycoFox | ||
=== martins-afk is now known as martinst | ||
=== kickinz1|afk is now known as kickinz1 | ||
=== Lcawte is now known as Lcawte|Away | ||
=== blanoz is now known as Blanoz | ||
=== martinst is now known as martins-afk | ||
Anteac | im got aids | 13:09 |
Anteac | just now | 13:09 |
Anteac | from serverpilot | 13:09 |
alias_neo | Hi guys, I'm trying to get the hw_random working in my xeon on ubuntu server, I'm struggling to get it to work properly, anybody got experience with it? I cant seem to get the intel kernel module to load and /dev/hwrng doesn't show up unless i start virtio-rng | 13:24 |
=== Lcawte|Away is now known as Lcawte | ||
alias_neo | Is 19GiB/s plausible for urandom if it's not using hwrng? | 13:32 |
alias_neo | rngtest: input channel speed: (min=2.161; avg=169.892; max=19073.486)Mibits/s | 13:33 |
alias_neo | or is that a red herring? | 13:33 |
patdk-wk | hwrng has nothing to do with urandom | 14:00 |
patdk-wk | urandom is based purely on your cpu bandwidth | 14:01 |
jrwren | alias_neo: remember: http://www.2uo.de/myths-about-urandom/ | 14:06 |
alias_neo | jrwren thanks | 14:08 |
jrwren | alias_neo: afaik, kernel will use RDRAND if the instruction is available. | 14:10 |
alias_neo | my rngtest bandwidth doesn't seeem to suggest I'm using the hwrand capability of my Xeon | 14:12 |
alias_neo | rngd doesn't see it, modprobe-ing intel-rng doesn't work (no such device) | 14:12 |
alias_neo | I'd like to be able to pass the hardware rng through to my kvm guests, because my IPA server for example on F21 is running out of entropy all the time | 14:15 |
alias_neo | crap, now my ubuntu server has dropped my ssh connection and won't reconnect | 14:18 |
=== Lcawte is now known as Lcawte|Away | ||
=== matsubara is now known as matsubara-lunch | ||
=== Lcawte|Away is now known as Lcawte | ||
=== Lcawte is now known as Lcawte|Away | ||
=== kickinz1 is now known as kickinz1|afk | ||
jsmith-argotec | hi all | 16:13 |
jsmith-argotec | how would I figure out the exact versions of each library dependency that would be installed with a package from the 12.04.00 without installing 12..04 from original media and installing the package? | 16:15 |
pmatulis | jsmith-argotec: is this what you're looking for? http://paste.ubuntu.com/10075458/ | 16:18 |
pmatulis | jsmith-argotec: ah, without installing 12.04 | 16:18 |
pmatulis | jsmith-argotec: probably a few ways but i think the easiest is to create an LXC container and doing the above | 16:20 |
jsmith-argotec | pmatulis: hmm ok ty | 16:24 |
jsmith-argotec | I'm having a problem with my pacemaker cluster software after the server was rebooted. One direction I'm going down is that a security update to a library may have caused an incompatiblity with the package | 16:25 |
jsmith-argotec | different question - what should I look for in an strace to help look in the right direction? | 16:25 |
pmatulis | jsmith-argotec: it would depend on the problem. w/o specifics it's hard to help | 16:26 |
jsmith-argotec | ok I'm getting "corosync [IPC ] Invalid IPC credentials" error when I start pacemaker followed by "attrd: [28829]: ERROR: main: HA Signon failed" | 16:27 |
jsmith-argotec | pmatulis: corosync communications are working and both nodes are members. When I start pacemaker I get those ^^^ errors | 16:28 |
ivoks | jsmith-argotec: er | 16:29 |
jsmith-argotec | pmatulis: what started it was the node was fenced. after reboot it wouldn't rejoin and had these errors. I found it had booted with an incorrect kernel which I correct but still getting the same errors | 16:29 |
jsmith-argotec | ivoks: hi! | 16:29 |
ivoks | jsmith-argotec: check package version of pacemaker and liblrmd | 16:29 |
jsmith-argotec | ivoks: I was wondering if its the same issue that was just SRU'd in trusty and up | 16:30 |
jsmith-argotec | ivoks: ... no liblrmd installed... | 16:30 |
ivoks | liblrmd1 | 16:30 |
ivoks | or something | 16:30 |
ivoks | dpkg -l | grep liblrmd | 16:30 |
ivoks | dpkg -l | grep pacemaker | 16:30 |
jsmith-argotec | got it | 16:30 |
sarthor | Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please. | 16:30 |
ivoks | version should be exactly the same | 16:31 |
jsmith-argotec | not even close | 16:31 |
jsmith-argotec | 1.1.6-2ubuntu3 for pacemaker, 1.0.8-2ubuntu6 for liblrm2 | 16:31 |
ivoks | uh, that's an old version | 16:31 |
jsmith-argotec | on 12.04 | 16:31 |
jsmith-argotec | precise | 16:31 |
ivoks | liblrmd | 16:31 |
ivoks | not liblrm | 16:31 |
jsmith-argotec | dpkg -l | grep liblr | 16:32 |
jsmith-argotec | ii liblrm2 1.0.8-2ubuntu6 Reusable cluster libraries -- liblrm2 | 16:32 |
jsmith-argotec | that's all I have | 16:32 |
ivoks | i don't remember how it was in 12.04 | 16:32 |
sarthor | sarthor: | 16:33 |
jsmith-argotec | ivoks: not available for install via apt-get either | 16:33 |
pmatulis | 1.0.8-2ubuntu6 is correct on 12.04 | 16:33 |
jsmith-argotec | according to showpkg dependecies lists liblrm2 not liblrmd | 16:34 |
pmatulis | but pacemaker is 1.1.6-2ubuntu3.3 | 16:34 |
ivoks | that's fine | 16:34 |
ivoks | liblrm is not from pacemaker source | 16:34 |
ivoks | it's from cluster-glue | 16:34 |
jsmith-argotec | pmatulis: yes thats the latest but I was running 1.1.6-2ubuntu3 when I had issues. tried upgrading which didn't help | 16:35 |
pmatulis | oh | 16:35 |
ivoks | did you just upgrade pacemaker or did you do dist-upgrade? | 16:35 |
jsmith-argotec | and downgraded back just in cast | 16:35 |
jsmith-argotec | case | 16:35 |
jsmith-argotec | just pacemaker | 16:35 |
pmatulis | so problems with both versions? | 16:36 |
jsmith-argotec | but I have upgrade some libraries along the way from security etc | 16:36 |
jsmith-argotec | pmatulis: yes | 16:36 |
ivoks | see if dist-upgrade will install something in addition | 16:36 |
jsmith-argotec | and I put other working node in maintenance and restarted the services there and now it's exhibiting the same errors | 16:37 |
pmatulis | jsmith-argotec: did you ever reboot successfully on any version? | 16:37 |
jsmith-argotec | pmatulis: yes I have a reboot/successful rejoin from Decemeber | 16:37 |
pmatulis | jsmith-argotec: and you rebooted again, w/o changing anything and you have problems? | 16:38 |
=== martins-afk is now known as martinst | ||
pmatulis | jsmith-argotec: and then you tried fixing by upgrading stuff? | 16:38 |
jsmith-argotec | ivoks: theres over 300 packages that would update... dont really want to update all of them | 16:38 |
ivoks | try upgrading cluster-glue, if available | 16:39 |
jsmith-argotec | pmatulis: node was fenced so it rebooted, then it didn't work. There had been (at least) one package installed between. | 16:39 |
jsmith-argotec | pmatulis: it booted with a newer kernel also which I reverted and also uninstalled everything from the last package install. Still not working so I tried the upgrade | 16:39 |
jsmith-argotec | ivoks: nothing new for cluster-glue | 16:40 |
ivoks | i doubt that | 16:40 |
ivoks | i bet on user error :) | 16:40 |
jsmith-argotec | doubt what... nothing new for cluster-glue/ | 16:41 |
jsmith-argotec | ? | 16:41 |
ivoks | are you starting pacemaker as a service or is corosync starting it? | 16:41 |
jsmith-argotec | I start corosync manually and then pacemaker manually (plugin ver 1) | 16:42 |
jsmith-argotec | as a service | 16:42 |
jsmith-argotec | for history these 2 nodes have been running stable in production (failed over a few times as designed) for over 18 months | 16:43 |
ivoks | mount | grep shm | 16:43 |
jsmith-argotec | ivoks: it's on tmpfs: none on /run/shm type tmpfs (rw,nosuid,nodev) | 16:43 |
jsmith-argotec | which is correct I believe? | 16:43 |
ivoks | yes | 16:44 |
ivoks | and /var/run/crm exists? | 16:44 |
jsmith-argotec | in the strace there was something about libgpg-error right around the time of the HA signon error in the logs... is that something? | 16:44 |
sarthor | Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please. | 16:44 |
ivoks | is /var/run also tmpfs? | 16:45 |
jsmith-argotec | run is... tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) | 16:46 |
jsmith-argotec | none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) | 16:46 |
jsmith-argotec | none on /run/shm type tmpfs (rw,nosuid,nodev) | 16:46 |
ivoks | /var/run | 16:46 |
jsmith-argotec | don't see /var/run | 16:46 |
jsmith-argotec | /var/run -> /run | 16:46 |
ivoks | do you have /var/run/crm? | 16:46 |
jsmith-argotec | and run is on tmpfs | 16:46 |
=== collizio1 is now known as collizion | ||
jsmith-argotec | yes | 16:47 |
jsutherland | Our next server is likely going to be a Dell R730 or HP DL380 Gen9. Both run best with either Dell or HP branded SAS drives. What limitations would I run into if I use generic Seagate SAS drives? | 16:47 |
ivoks | jsmith-argotec: and permissons on stuff in /var/run/crm look ok? | 16:48 |
jsmith-argotec | umm no.. hang on | 16:48 |
jsmith-argotec | all should be hacluster:haclient right? | 16:48 |
ivoks | do you have another cluster running on the same network? | 16:49 |
jsmith-argotec | no | 16:49 |
jsmith-argotec | uhh wait | 16:49 |
jsmith-argotec | maybe | 16:49 |
ivoks | quite possible, i'd say | 16:49 |
ivoks | and you didn't set authkey | 16:49 |
ivoks | or change the multicast port | 16:50 |
jsmith-argotec | let me check that! | 16:50 |
jsmith-argotec | ivoks: yes there are two 2 node clusters... wasn't thinking about the other set the other admin setup. | 16:56 |
ivoks | always use authkey in corosync | 16:57 |
jsmith-argotec | but.. both have secauth on, authkey created, both have 2 rings on 2 seperate redundant nics (2 direct connect, 2 LAN), and all 4 are different mcast addresses | 16:57 |
ivoks | always. | 16:57 |
ivoks | you need to change mcast port | 16:57 |
jsmith-argotec | so each cluster needs to use a different port at least on the common LAN even if different mcast addresses? | 16:58 |
ivoks | which mcast addresses do you use? | 16:59 |
jsmith-argotec | isn't that particular to corosync communications not pacemaker or am I way off? 'cause both nodes are members of the coro rings | 16:59 |
ivoks | both? | 16:59 |
ivoks | you have only two nodes? | 16:59 |
jsmith-argotec | one cluster: mcastaddr: 226.94.1.1, mcastaddr: 239.192.0.1. second cluster: 239.198.10.1, 239.199.20.1, all port 5405 | 17:00 |
jsmith-argotec | yes only 2 nodes in each cluster, 2 clusters | 17:00 |
ivoks | er | 17:01 |
ivoks | different mcast addresses on different nodes in the same cluster? | 17:01 |
jsmith-argotec | I can pastebin the corosync.conf if you like? | 17:01 |
ivoks | sure | 17:01 |
ivoks | oh, those are different rings | 17:02 |
* ivoks is around for next few minutes, and then I'm out of here | 17:03 | |
jsmith-argotec | http://paste.ubuntu.com/10076093/ | 17:03 |
ivoks | http://manpages.ubuntu.com/manpages/saucy/man5/votequorum.5.html | 17:05 |
jsmith-argotec | this is the config from the 2 nodes that are having the issue | 17:05 |
ivoks | SPECIAL FEATURES | 17:05 |
ivoks | two_node: 1 | 17:05 |
jsmith-argotec | ivoks: but it has been working fine for months... or was that just dumb luck? | 17:08 |
ivoks | it works while there's no distruption | 17:10 |
ivoks | or if you reboot both at the same time | 17:10 |
ivoks | if you reboot one by one, all kinds of things can happen | 17:11 |
ivoks | i'm not sure that's the cause of your problem, but for start, your configuration is missing this important bit | 17:11 |
jsmith-argotec | OK will correct that one | 17:11 |
sarthor | Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please. | 17:29 |
=== matsubara-lunch is now known as matsubara | ||
hallyn | jdstrand: hm. well, the thing is, the libvirt-qemu file ends in '}', so appending a rule doesn't suffice :) i wonder why it worked in the karmic case. | 17:43 |
hallyn | i guess i'll just sed the file first... | 17:44 |
hallyn | wait, that's messed up | 18:04 |
hallyn | heh, mea culpa | 18:06 |
jdstrand | hallyn: actually, it would suffice cause the '}' corresponds to the 'profile qemu_bridge_helper {' child profile | 18:24 |
jdstrand | hallyn: (however, karmic didn't have that child profile) | 18:24 |
hallyn | yeah; so i'm trying ot figure out why it's still not working | 18:26 |
jdstrand | hallyn: but if you're adding a rule that is covered by an explicit deny rule, remember that deny rules are evaluated after allow rules, so you may need a sed regardless | 18:26 |
hallyn | mayb ei'll just do /tmp/** rw | 18:26 |
hallyn | oh, | 18:26 |
jdstrand | yeah | 18:26 |
hallyn | i thought 'deny rules evaluated after allow rules' meant they are subservient | 18:26 |
jdstrand | deny /tmp/** r, | 18:26 |
jdstrand | /tmp/** r, | 18:27 |
jdstrand | the deny always wins that | 18:27 |
hallyn | near as i can tell i can't use testlib then | 18:27 |
hallyn | or, i'll just make a backup and then sed to my heart's content, i guess | 18:27 |
jdstrand | hallyn: you can-- just not with append | 18:27 |
jdstrand | hallyn: read in the contents, remove the deny rules, add your rule, then replace the file without appending | 18:27 |
hallyn | that seems more complicated | 18:28 |
jdstrand | testlib should support what I just mentioned | 18:28 |
* hallyn looks | 18:28 | |
jdstrand | it is, but it means you can simply use a _restore() in the tearDown | 18:28 |
hallyn | i can still do that if i make the backup using testlib._bakcup | 18:29 |
jdstrand | hallyn: _update_config in test-libvirt.py does basically what I said | 18:30 |
jdstrand | hallyn: it could be much simpler for your case, but it is there for inspiration | 18:30 |
hallyn | jdstrand: ok, thanks | 18:31 |
jdstrand | np | 18:31 |
hallyn | i'd thought this would be a quick fix, but i'm messing it up at each attempt :) there's still another but to fix before we can release, sigh | 18:31 |
=== Lcawte|Away is now known as Lcawte | ||
=== elliotd123_ is now known as elliotd123 | ||
jsmith-argotec | ivoks: I made the quorum change and both members rejoined. Still getting the same error though | 20:36 |
dtscode | hey guys... i followed this https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts but when i get to sudo a2ensite ts3.dtscode.io it says ERROR: Site ts3.dtscode.io does not exist! how can i fix this? | 22:41 |
justizin | is it just me, or does trusty not have add-apt-repository? *looks confused* | 22:52 |
justizin | i mean, i guess i can add it manually, it just seems like a lot of trouble has been gone to to make this simple.. | 22:53 |
justizin | apt-cache search add-apt-repository also comes up empty for me | 22:53 |
sarnold | dtscode: did you name your config file with a .conf file extension? I think that's required | 22:55 |
sarnold | justizin: it's in the software-properties-common package | 22:56 |
dtscode | sarnold, thanks :D that did it | 22:56 |
justizin | interesting.. i guess i have typically gotten that by installing python-software-properties, but it now installs python3-software-properties | 22:56 |
justizin | i'll try to remember software-properties-common :) | 22:56 |
justizin | also i guess the official ubuntu vagrant virtualbox image doesn't have it, not sure if it's expected to be present. | 22:57 |
justizin | kind of seems like it makes sense to be, but i'm sure there was some long arcane e-mail flamewar that resulted in this decision. ;d | 22:57 |
sarnold | I suspect the truth is less interesting than you suspect :) hehe | 22:57 |
justizin | sarnold: likely. :) | 22:59 |
justizin | btw tks sarnold! | 23:10 |
sarnold | you're welcome justizin :) | 23:11 |
arcsky | hello i have some ubuntu servers at work. i wonder if there are any good mangment tool for upgrade and maintain all the servers | 23:35 |
sarnold | arcsky: many; landscape, ansible, puppet, chef, cfengine (ancient) | 23:40 |
=== a1berto_ is now known as a1berto |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!