[00:17] I want to execute a conversion program on data uploaded to a website. However the converter is known to have security issues all the time. [00:17] Is there a way to run such a program in a sandbox? [00:17] Basically I want to restrict reading files to one input file and writing to one output file, prevent network access and limit execution time and ram [00:21] zotta: you can wrap the converter in an apparmor profile [00:21] well, if you combine apparmor and ulimit will do most of that [00:21] but never looked at limiting network access [00:22] apparmor can deny network access, "deny network," ought to do the trick -- but that might also forbid e.g. unix sockets if that's how the web server drives it, hehe [00:23] sarnold: sure but you can allow unix sockets, and just not allow network [00:24] since its default deny, network will be denied [00:24] hey jjohansen :) [00:24] hey sarnold [00:26] Does it support whitelist for file read access? [00:26] zotta: yes [00:26] zotta: for example, here's my irssi (irc client) profile: http://paste.ubuntu.com/10062642/ [00:27] Sounds great. I will up on it. [00:27] hmm, that could use some slight improvements... [00:27] but I hope it helps convey the flavour of apparmor profiles :) [00:28] :) thx === morenoh151 is now known as morenoh149 [02:00] I had to adjust my apparmour profile today :( [02:00] users couldn't send email [02:01] Patrickdk: what was the message that was logged? [02:01] dmesg | grep DENIED [02:01] or [02:01] grep DENIED /var/log/syslog [02:01] heh? [02:02] the message that was logged was, denied x to /usr/sbin/sendmail [02:03] as, by normal sanity, there is nothing in /usr/sbin a user needs, except sendmail aparently [02:04] you let your users send email? how decadent :) [02:05] sarnold, heh, it's been like this for years, first time someone had a problem [02:05] :) [02:05] calling sendmail is such a hack though [02:05] Patrickdk: so since we don't supply a send mail profile I would recommend going with either [02:05] /usr/bin/sendmail ix, [02:05] or [02:05] /usr/bin/sendmail pix, [02:06] wouldn't work [02:06] /usr/sbin/sendmail ix [02:06] is what I used [02:06] it then required, /usr/sbin/postdrop ix [02:06] oh fun [02:08] name="/usr/sbin/sendmail" pid=10663 comm="mailx" requested_mask="x" denied_mask="x" [02:09] I just have a huge profile I wrote, that gives the users exactly what they need and nothing else [02:10] then I locked it to bash and dash [02:10] works really well [02:10] nice [02:10] users start with bash shell, and can't change it [02:11] hmm, only 133 lines :) [02:12] I saw apache suexec got apparmor support :) that is nice [02:12] I had patched mine a long time ago with it, works well there too [02:14] oh nice, I didn't know that suexec had apparmor support, /me will have to look at what they are doing. apparmor does have the mod_apparmor apache plugin that allows profiles to be set based off of urls etc [02:15] but the suexec change is new to me [02:15] oh, maybe it was mod_apparmor [02:15] I know it could use hatchange in apache [02:15] and suexec would be affected [02:15] maybe it wasn't directly in suexec [02:17] ah maybe still worth looking into === zz_DenBeiren is now known as DenBeiren === Guest81467 is now known as rcj === TDog_ is now known as TDog [04:12] you know this seems stupid..like i should know this, but isnt it possible to send all traffic destined for an fqdn to a local ip.... i mean without setting the hosts file on the client? [04:13] i have a dns server but i only want to do this with...like port 80 traffic [04:55] ya so this is whack [05:08] it seems like if i set that in the hosts file of my ubuntu router, it should just route things to there. [05:08] but that is not working [06:24] Good mornining [06:24] grendal_prime: hunt around for a "transparent proxy howto", it'll have iptables rules that you can use to redirect traffic as you wish [06:25] ya thats how i usually do this..but that does not seem to be working [06:25] i cant figure out what the heck is going on actually [06:27] i have used haproxy to do this as well..but its werid..its like my ip tables changes are not taking effect. [07:00] sarnold, i actually like the haproxy approach for what im doing, cause i can subdomain the web requests...and well also the xmpp i think. [07:00] well...maybe not on those. [07:01] well actually it looks like ya thats doable [07:03] the proxy works from outside..but..hmm i think this is an issue with the router/firewall between my router/firewall and the wall. [07:03] this is getting very frustrating. The domain does not resolve to that internal ip and, hmm === kickinz1|afk is now known as kickinz1 [07:41] this is fn crazy [07:41] i just...grrrrrr [07:42] I have access to the dhcp server..i have access to the dns server...i cant make the internal machines go to something inside instead of outside the network? [07:42] its just nuts === Lcawte|Away is now known as Lcawte === Guest1167 is now known as hxm === mthaddon` is now known as mthaddon === kickinz1 is now known as kickinz1|afk === DenBeiren is now known as zz_DenBeiren === kickinz1|afk is now known as kickinz1 === kickinz1 is now known as kickinz1|afk === FunguyFawx is now known as MycoFox === martins-afk is now known as martinst === kickinz1|afk is now known as kickinz1 === Lcawte is now known as Lcawte|Away === blanoz is now known as Blanoz === martinst is now known as martins-afk [13:09] im got aids [13:09] just now [13:09] from serverpilot [13:24] Hi guys, I'm trying to get the hw_random working in my xeon on ubuntu server, I'm struggling to get it to work properly, anybody got experience with it? I cant seem to get the intel kernel module to load and /dev/hwrng doesn't show up unless i start virtio-rng === Lcawte|Away is now known as Lcawte [13:32] Is 19GiB/s plausible for urandom if it's not using hwrng? [13:33] rngtest: input channel speed: (min=2.161; avg=169.892; max=19073.486)Mibits/s [13:33] or is that a red herring? [14:00] hwrng has nothing to do with urandom [14:01] urandom is based purely on your cpu bandwidth [14:06] alias_neo: remember: http://www.2uo.de/myths-about-urandom/ [14:08] jrwren thanks [14:10] alias_neo: afaik, kernel will use RDRAND if the instruction is available. [14:12] my rngtest bandwidth doesn't seeem to suggest I'm using the hwrand capability of my Xeon [14:12] rngd doesn't see it, modprobe-ing intel-rng doesn't work (no such device) [14:15] I'd like to be able to pass the hardware rng through to my kvm guests, because my IPA server for example on F21 is running out of entropy all the time [14:18] crap, now my ubuntu server has dropped my ssh connection and won't reconnect === Lcawte is now known as Lcawte|Away === matsubara is now known as matsubara-lunch === Lcawte|Away is now known as Lcawte === Lcawte is now known as Lcawte|Away === kickinz1 is now known as kickinz1|afk [16:13] hi all [16:15] how would I figure out the exact versions of each library dependency that would be installed with a package from the 12.04.00 without installing 12..04 from original media and installing the package? [16:18] jsmith-argotec: is this what you're looking for? http://paste.ubuntu.com/10075458/ [16:18] jsmith-argotec: ah, without installing 12.04 [16:20] jsmith-argotec: probably a few ways but i think the easiest is to create an LXC container and doing the above [16:24] pmatulis: hmm ok ty [16:25] I'm having a problem with my pacemaker cluster software after the server was rebooted. One direction I'm going down is that a security update to a library may have caused an incompatiblity with the package [16:25] different question - what should I look for in an strace to help look in the right direction? [16:26] jsmith-argotec: it would depend on the problem. w/o specifics it's hard to help [16:27] ok I'm getting "corosync [IPC ] Invalid IPC credentials" error when I start pacemaker followed by "attrd: [28829]: ERROR: main: HA Signon failed" [16:28] pmatulis: corosync communications are working and both nodes are members. When I start pacemaker I get those ^^^ errors [16:29] jsmith-argotec: er [16:29] pmatulis: what started it was the node was fenced. after reboot it wouldn't rejoin and had these errors. I found it had booted with an incorrect kernel which I correct but still getting the same errors [16:29] ivoks: hi! [16:29] jsmith-argotec: check package version of pacemaker and liblrmd [16:30] ivoks: I was wondering if its the same issue that was just SRU'd in trusty and up [16:30] ivoks: ... no liblrmd installed... [16:30] liblrmd1 [16:30] or something [16:30] dpkg -l | grep liblrmd [16:30] dpkg -l | grep pacemaker [16:30] got it [16:30] Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please. [16:31] version should be exactly the same [16:31] not even close [16:31] 1.1.6-2ubuntu3 for pacemaker, 1.0.8-2ubuntu6 for liblrm2 [16:31] uh, that's an old version [16:31] on 12.04 [16:31] precise [16:31] liblrmd [16:31] not liblrm [16:32] dpkg -l | grep liblr [16:32] ii liblrm2 1.0.8-2ubuntu6 Reusable cluster libraries -- liblrm2 [16:32] that's all I have [16:32] i don't remember how it was in 12.04 [16:33] sarthor: [16:33] ivoks: not available for install via apt-get either [16:33] 1.0.8-2ubuntu6 is correct on 12.04 [16:34] according to showpkg dependecies lists liblrm2 not liblrmd [16:34] but pacemaker is 1.1.6-2ubuntu3.3 [16:34] that's fine [16:34] liblrm is not from pacemaker source [16:34] it's from cluster-glue [16:35] pmatulis: yes thats the latest but I was running 1.1.6-2ubuntu3 when I had issues. tried upgrading which didn't help [16:35] oh [16:35] did you just upgrade pacemaker or did you do dist-upgrade? [16:35] and downgraded back just in cast [16:35] case [16:35] just pacemaker [16:36] so problems with both versions? [16:36] but I have upgrade some libraries along the way from security etc [16:36] pmatulis: yes [16:36] see if dist-upgrade will install something in addition [16:37] and I put other working node in maintenance and restarted the services there and now it's exhibiting the same errors [16:37] jsmith-argotec: did you ever reboot successfully on any version? [16:37] pmatulis: yes I have a reboot/successful rejoin from Decemeber [16:38] jsmith-argotec: and you rebooted again, w/o changing anything and you have problems? === martins-afk is now known as martinst [16:38] jsmith-argotec: and then you tried fixing by upgrading stuff? [16:38] ivoks: theres over 300 packages that would update... dont really want to update all of them [16:39] try upgrading cluster-glue, if available [16:39] pmatulis: node was fenced so it rebooted, then it didn't work. There had been (at least) one package installed between. [16:39] pmatulis: it booted with a newer kernel also which I reverted and also uninstalled everything from the last package install. Still not working so I tried the upgrade [16:40] ivoks: nothing new for cluster-glue [16:40] i doubt that [16:40] i bet on user error :) [16:41] doubt what... nothing new for cluster-glue/ [16:41] ? [16:41] are you starting pacemaker as a service or is corosync starting it? [16:42] I start corosync manually and then pacemaker manually (plugin ver 1) [16:42] as a service [16:43] for history these 2 nodes have been running stable in production (failed over a few times as designed) for over 18 months [16:43] mount | grep shm [16:43] ivoks: it's on tmpfs: none on /run/shm type tmpfs (rw,nosuid,nodev) [16:43] which is correct I believe? [16:44] yes [16:44] and /var/run/crm exists? [16:44] in the strace there was something about libgpg-error right around the time of the HA signon error in the logs... is that something? [16:44] Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please. [16:45] is /var/run also tmpfs? [16:46] run is... tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) [16:46] none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) [16:46] none on /run/shm type tmpfs (rw,nosuid,nodev) [16:46] /var/run [16:46] don't see /var/run [16:46] /var/run -> /run [16:46] do you have /var/run/crm? [16:46] and run is on tmpfs === collizio1 is now known as collizion [16:47] yes [16:47] Our next server is likely going to be a Dell R730 or HP DL380 Gen9. Both run best with either Dell or HP branded SAS drives. What limitations would I run into if I use generic Seagate SAS drives? [16:48] jsmith-argotec: and permissons on stuff in /var/run/crm look ok? [16:48] umm no.. hang on [16:48] all should be hacluster:haclient right? [16:49] do you have another cluster running on the same network? [16:49] no [16:49] uhh wait [16:49] maybe [16:49] quite possible, i'd say [16:49] and you didn't set authkey [16:50] or change the multicast port [16:50] let me check that! [16:56] ivoks: yes there are two 2 node clusters... wasn't thinking about the other set the other admin setup. [16:57] always use authkey in corosync [16:57] but.. both have secauth on, authkey created, both have 2 rings on 2 seperate redundant nics (2 direct connect, 2 LAN), and all 4 are different mcast addresses [16:57] always. [16:57] you need to change mcast port [16:58] so each cluster needs to use a different port at least on the common LAN even if different mcast addresses? [16:59] which mcast addresses do you use? [16:59] isn't that particular to corosync communications not pacemaker or am I way off? 'cause both nodes are members of the coro rings [16:59] both? [16:59] you have only two nodes? [17:00] one cluster: mcastaddr: 226.94.1.1, mcastaddr: 239.192.0.1. second cluster: 239.198.10.1, 239.199.20.1, all port 5405 [17:00] yes only 2 nodes in each cluster, 2 clusters [17:01] er [17:01] different mcast addresses on different nodes in the same cluster? [17:01] I can pastebin the corosync.conf if you like? [17:01] sure [17:02] oh, those are different rings [17:03] * ivoks is around for next few minutes, and then I'm out of here [17:03] http://paste.ubuntu.com/10076093/ [17:05] http://manpages.ubuntu.com/manpages/saucy/man5/votequorum.5.html [17:05] this is the config from the 2 nodes that are having the issue [17:05] SPECIAL FEATURES [17:05] two_node: 1 [17:08] ivoks: but it has been working fine for months... or was that just dumb luck? [17:10] it works while there's no distruption [17:10] or if you reboot both at the same time [17:11] if you reboot one by one, all kinds of things can happen [17:11] i'm not sure that's the cause of your problem, but for start, your configuration is missing this important bit [17:11] OK will correct that one [17:29] Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please. === matsubara-lunch is now known as matsubara [17:43] jdstrand: hm. well, the thing is, the libvirt-qemu file ends in '}', so appending a rule doesn't suffice :) i wonder why it worked in the karmic case. [17:44] i guess i'll just sed the file first... [18:04] wait, that's messed up [18:06] heh, mea culpa [18:24] hallyn: actually, it would suffice cause the '}' corresponds to the 'profile qemu_bridge_helper {' child profile [18:24] hallyn: (however, karmic didn't have that child profile) [18:26] yeah; so i'm trying ot figure out why it's still not working [18:26] hallyn: but if you're adding a rule that is covered by an explicit deny rule, remember that deny rules are evaluated after allow rules, so you may need a sed regardless [18:26] mayb ei'll just do /tmp/** rw [18:26] oh, [18:26] yeah [18:26] i thought 'deny rules evaluated after allow rules' meant they are subservient [18:26] deny /tmp/** r, [18:27] /tmp/** r, [18:27] the deny always wins that [18:27] near as i can tell i can't use testlib then [18:27] or, i'll just make a backup and then sed to my heart's content, i guess [18:27] hallyn: you can-- just not with append [18:27] hallyn: read in the contents, remove the deny rules, add your rule, then replace the file without appending [18:28] that seems more complicated [18:28] testlib should support what I just mentioned [18:28] * hallyn looks [18:28] it is, but it means you can simply use a _restore() in the tearDown [18:29] i can still do that if i make the backup using testlib._bakcup [18:30] hallyn: _update_config in test-libvirt.py does basically what I said [18:30] hallyn: it could be much simpler for your case, but it is there for inspiration [18:31] jdstrand: ok, thanks [18:31] np [18:31] i'd thought this would be a quick fix, but i'm messing it up at each attempt :) there's still another but to fix before we can release, sigh === Lcawte|Away is now known as Lcawte === elliotd123_ is now known as elliotd123 [20:36] ivoks: I made the quorum change and both members rejoined. Still getting the same error though [22:41] hey guys... i followed this https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts but when i get to sudo a2ensite ts3.dtscode.io it says ERROR: Site ts3.dtscode.io does not exist! how can i fix this? [22:52] is it just me, or does trusty not have add-apt-repository? *looks confused* [22:53] i mean, i guess i can add it manually, it just seems like a lot of trouble has been gone to to make this simple.. [22:53] apt-cache search add-apt-repository also comes up empty for me [22:55] dtscode: did you name your config file with a .conf file extension? I think that's required [22:56] justizin: it's in the software-properties-common package [22:56] sarnold, thanks :D that did it [22:56] interesting.. i guess i have typically gotten that by installing python-software-properties, but it now installs python3-software-properties [22:56] i'll try to remember software-properties-common :) [22:57] also i guess the official ubuntu vagrant virtualbox image doesn't have it, not sure if it's expected to be present. [22:57] kind of seems like it makes sense to be, but i'm sure there was some long arcane e-mail flamewar that resulted in this decision. ;d [22:57] I suspect the truth is less interesting than you suspect :) hehe [22:59] sarnold: likely. :) [23:10] btw tks sarnold! [23:11] you're welcome justizin :) [23:35] hello i have some ubuntu servers at work. i wonder if there are any good mangment tool for upgrade and maintain all the servers [23:40] arcsky: many; landscape, ansible, puppet, chef, cfengine (ancient) === a1berto_ is now known as a1berto