[00:17] <zotta> I want to execute a conversion program on data uploaded to a website. However the converter is known to have security issues all the time.
[00:17] <zotta> Is there a way to run such a program in a sandbox?
[00:17] <zotta> Basically I want to restrict reading files to one input file and writing to one output file, prevent network access and limit execution time and ram
[00:21] <sarnold> zotta: you can wrap the converter in an apparmor profile
[00:21] <Patrickdk> well, if you combine apparmor and ulimit will do most of that
[00:21] <Patrickdk> but never looked at limiting network access
[00:22] <sarnold> apparmor can deny network access, "deny network," ought to do the trick -- but that might also forbid e.g. unix sockets if that's how the web server drives it, hehe
[00:23] <jjohansen> sarnold: sure but you can allow unix sockets, and just not allow network
[00:24] <jjohansen> since its default deny, network will be denied
[00:24] <sarnold> hey jjohansen :)
[00:24] <jjohansen> hey sarnold
[00:26] <zotta> Does it support whitelist for file read access?
[00:26] <sarnold> zotta: yes
[00:26] <sarnold> zotta: for example, here's my irssi (irc client) profile: http://paste.ubuntu.com/10062642/
[00:27] <zotta> Sounds great. I will up on it.
[00:27] <sarnold> hmm, that could use some slight improvements...
[00:27] <sarnold> but I hope it helps convey the flavour of apparmor profiles :)
[00:28] <zotta> :) thx
[02:00] <Patrickdk> I had to adjust my apparmour profile today :(
[02:00] <Patrickdk> users couldn't send email
[02:01] <jjohansen> Patrickdk: what was the message that was logged?
[02:01] <jjohansen>   dmesg | grep DENIED
[02:01] <jjohansen> or
[02:01] <jjohansen>   grep DENIED /var/log/syslog
[02:01] <Patrickdk> heh?
[02:02] <Patrickdk> the message that was logged was, denied x to /usr/sbin/sendmail
[02:03] <Patrickdk> as, by normal sanity, there is nothing in /usr/sbin a user needs, except sendmail aparently
[02:04] <sarnold> you let your users send email? how decadent :)
[02:05] <Patrickdk> sarnold, heh, it's been like this for years, first time someone had a problem
[02:05] <sarnold> :)
[02:05] <Patrickdk> calling sendmail is such a hack though
[02:05] <jjohansen> Patrickdk: so since we don't supply a send mail profile I would recommend going with either
[02:05] <jjohansen>   /usr/bin/sendmail  ix,
[02:05] <jjohansen> or
[02:05] <jjohansen>   /usr/bin/sendmail pix,
[02:06] <Patrickdk> wouldn't work
[02:06] <Patrickdk> /usr/sbin/sendmail ix
[02:06] <Patrickdk> is what I used
[02:06] <Patrickdk> it then required, /usr/sbin/postdrop ix
[02:06] <jjohansen> oh fun
[02:08] <Patrickdk> name="/usr/sbin/sendmail" pid=10663 comm="mailx" requested_mask="x" denied_mask="x"
[02:09] <Patrickdk> I just have a huge profile I wrote, that gives the users exactly what they need and nothing else
[02:10] <Patrickdk> then I locked it to bash and dash
[02:10] <Patrickdk> works really well
[02:10] <jjohansen> nice
[02:10] <Patrickdk> users start with bash shell, and can't change it
[02:11] <Patrickdk> hmm, only 133 lines :)
[02:12] <Patrickdk> I saw apache suexec got apparmor support :) that is nice
[02:12] <Patrickdk> I had patched mine a long time ago with it, works well there too
[02:14] <jjohansen> oh nice, I didn't know that suexec had apparmor support, /me will have to look at what they are doing. apparmor does have the mod_apparmor apache plugin that allows profiles to be set based off of urls etc
[02:15] <jjohansen> but the suexec change is new to me
[02:15] <Patrickdk> oh, maybe it was mod_apparmor
[02:15] <Patrickdk> I know it could use hatchange in apache
[02:15] <Patrickdk> and suexec would be affected
[02:15] <Patrickdk> maybe it wasn't directly in suexec
[02:17] <jjohansen> ah maybe still worth looking into
[04:12] <grendal_prime> you know this seems stupid..like i should know this, but isnt it possible to send all traffic destined for an fqdn to a local ip.... i mean without setting the hosts file on the client?
[04:13] <grendal_prime> i have a dns server but i only want to do this with...like port 80 traffic
[04:55] <grendal_prime> ya so this is whack
[05:08] <grendal_prime> it seems like if i set that in the hosts file of my ubuntu router, it should just route things to there.
[05:08] <grendal_prime> but that is not working
[06:24] <lordievader> Good mornining
[06:24] <sarnold> grendal_prime: hunt around for a "transparent proxy howto", it'll have iptables rules that you can use to redirect traffic as you wish
[06:25] <grendal_prime> ya thats how i usually do this..but that does not seem to be working
[06:25] <grendal_prime> i cant figure out what the heck is going on actually
[06:27] <grendal_prime> i have used haproxy to do this as well..but its werid..its like my ip tables changes are not taking effect.
[07:00] <grendal_prime> sarnold, i actually like the haproxy approach for what im doing, cause i can subdomain the web requests...and well also the xmpp i think.
[07:00] <grendal_prime> well...maybe not on those.
[07:01] <grendal_prime> well actually it looks like ya thats doable
[07:03] <grendal_prime> the proxy works from outside..but..hmm i think this is an issue with the router/firewall between my router/firewall and the wall.
[07:03] <grendal_prime> this is getting very frustrating.  The domain does not resolve to that internal ip and, hmm
[07:41] <grendal_prime> this is fn crazy
[07:41] <grendal_prime> i just...grrrrrr
[07:42] <grendal_prime> I have access to the dhcp server..i have access to the dns server...i cant make the internal machines go to something inside instead of outside the network?
[07:42] <grendal_prime> its just nuts
[13:09] <Anteac> im got aids
[13:09] <Anteac> just now
[13:09] <Anteac> from serverpilot
[13:24] <alias_neo> Hi guys, I'm trying to get the hw_random working in my xeon on ubuntu server, I'm struggling to get it to work properly, anybody got experience with it? I cant seem to get the intel kernel module to load and /dev/hwrng doesn't show up unless i start virtio-rng
[13:32] <alias_neo> Is 19GiB/s plausible for urandom if it's not using hwrng?
[13:33] <alias_neo> rngtest: input channel speed: (min=2.161; avg=169.892; max=19073.486)Mibits/s
[13:33] <alias_neo> or is that a red herring?
[14:00] <patdk-wk> hwrng has nothing to do with urandom
[14:01] <patdk-wk> urandom is based purely on your cpu bandwidth
[14:06] <jrwren> alias_neo: remember: http://www.2uo.de/myths-about-urandom/
[14:08] <alias_neo> jrwren thanks
[14:10] <jrwren> alias_neo: afaik, kernel will use RDRAND if the instruction is available.
[14:12] <alias_neo> my rngtest bandwidth doesn't seeem to suggest I'm using the hwrand capability of my Xeon
[14:12] <alias_neo> rngd doesn't see it, modprobe-ing intel-rng doesn't work (no such device)
[14:15] <alias_neo> I'd like to be able to pass the hardware rng through to my kvm guests, because my IPA server for example on F21 is running out of entropy all the time
[14:18] <alias_neo> crap, now my ubuntu server has dropped my ssh connection and won't reconnect
[16:13] <jsmith-argotec> hi all
[16:15] <jsmith-argotec> how would I figure out the exact versions of each library dependency that would be installed with a package from the 12.04.00 without installing 12..04 from original media and installing the package?
[16:18] <pmatulis> jsmith-argotec: is this what you're looking for?  http://paste.ubuntu.com/10075458/
[16:18] <pmatulis> jsmith-argotec: ah, without installing 12.04
[16:20] <pmatulis> jsmith-argotec: probably a few ways but i think the easiest is to create an LXC container and doing the above
[16:24] <jsmith-argotec> pmatulis: hmm ok ty
[16:25] <jsmith-argotec> I'm having a problem with my pacemaker cluster software after the server was rebooted.  One direction I'm going down is that a security update to a library may have caused an incompatiblity with the package
[16:25] <jsmith-argotec> different question - what should I look for in an strace to help look in the right direction?
[16:26] <pmatulis> jsmith-argotec: it would depend on the problem.  w/o specifics it's hard to help
[16:27] <jsmith-argotec> ok I'm getting "corosync [IPC ] Invalid IPC credentials" error when I start pacemaker followed by "attrd: [28829]: ERROR: main: HA Signon failed"
[16:28] <jsmith-argotec> pmatulis: corosync communications are working and both nodes are members.  When I start pacemaker I get those ^^^ errors
[16:29] <ivoks> jsmith-argotec: er
[16:29] <jsmith-argotec> pmatulis: what started it was the node was fenced. after reboot it wouldn't rejoin and had these errors.  I found it had booted with an incorrect kernel which I correct but still getting the same errors
[16:29] <jsmith-argotec> ivoks: hi!
[16:29] <ivoks> jsmith-argotec: check package version of pacemaker and liblrmd
[16:30] <jsmith-argotec> ivoks: I was wondering if its the same issue that was just SRU'd in trusty and up
[16:30] <jsmith-argotec> ivoks: ... no liblrmd installed...
[16:30] <ivoks> liblrmd1
[16:30] <ivoks> or something
[16:30] <ivoks> dpkg -l | grep liblrmd
[16:30] <ivoks> dpkg -l | grep pacemaker
[16:30] <jsmith-argotec> got it
[16:30] <sarthor> Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please.
[16:31] <ivoks> version should be exactly the same
[16:31] <jsmith-argotec> not even close
[16:31] <jsmith-argotec> 1.1.6-2ubuntu3 for pacemaker, 1.0.8-2ubuntu6 for liblrm2
[16:31] <ivoks> uh, that's an old version
[16:31] <jsmith-argotec> on 12.04
[16:31] <jsmith-argotec> precise
[16:31] <ivoks> liblrmd
[16:31] <ivoks> not liblrm
[16:32] <jsmith-argotec> dpkg -l | grep liblr
[16:32] <jsmith-argotec> ii  liblrm2                              1.0.8-2ubuntu6                    Reusable cluster libraries -- liblrm2
[16:32] <jsmith-argotec> that's all I have
[16:32] <ivoks> i don't remember how it was in 12.04
[16:33] <sarthor> sarthor:
[16:33] <jsmith-argotec> ivoks: not available for install via apt-get either
[16:33] <pmatulis> 1.0.8-2ubuntu6 is correct on 12.04
[16:34] <jsmith-argotec> according to showpkg dependecies lists liblrm2 not liblrmd
[16:34] <pmatulis> but pacemaker is 1.1.6-2ubuntu3.3
[16:34] <ivoks> that's fine
[16:34] <ivoks> liblrm is not from pacemaker source
[16:34] <ivoks> it's from cluster-glue
[16:35] <jsmith-argotec> pmatulis: yes thats the latest but I was running 1.1.6-2ubuntu3 when I had issues. tried upgrading which didn't help
[16:35] <pmatulis> oh
[16:35] <ivoks> did you just upgrade pacemaker or did you do dist-upgrade?
[16:35] <jsmith-argotec> and downgraded back just in cast
[16:35] <jsmith-argotec> case
[16:35] <jsmith-argotec> just pacemaker
[16:36] <pmatulis> so problems with both versions?
[16:36] <jsmith-argotec> but I have upgrade some libraries along the way from security etc
[16:36] <jsmith-argotec> pmatulis: yes
[16:36] <ivoks> see if dist-upgrade will install something in addition
[16:37] <jsmith-argotec> and I put other working node in maintenance and restarted the services there and now it's exhibiting the same errors
[16:37] <pmatulis> jsmith-argotec: did you ever reboot successfully on any version?
[16:37] <jsmith-argotec> pmatulis: yes I have a reboot/successful rejoin from Decemeber
[16:38] <pmatulis> jsmith-argotec: and you rebooted again, w/o changing anything and you have problems?
[16:38] <pmatulis> jsmith-argotec: and then you tried fixing by upgrading stuff?
[16:38] <jsmith-argotec> ivoks: theres over 300 packages that would update... dont really want to update all of them
[16:39] <ivoks> try upgrading cluster-glue, if available
[16:39] <jsmith-argotec> pmatulis: node was fenced so it rebooted, then it didn't work.  There had been (at least) one package installed between.
[16:39] <jsmith-argotec> pmatulis: it booted with a newer kernel also which I reverted and also uninstalled everything from the last package install.  Still not working so I tried the upgrade
[16:40] <jsmith-argotec> ivoks: nothing new for cluster-glue
[16:40] <ivoks> i doubt that
[16:40] <ivoks> i bet on user error :)
[16:41] <jsmith-argotec> doubt what... nothing new for cluster-glue/
[16:41] <jsmith-argotec> ?
[16:41] <ivoks> are you starting pacemaker as a service or is corosync starting it?
[16:42] <jsmith-argotec> I start corosync manually and then pacemaker manually (plugin ver 1)
[16:42] <jsmith-argotec> as a service
[16:43] <jsmith-argotec> for history these 2 nodes have been running stable in production (failed over a few times as designed) for over 18 months
[16:43] <ivoks> mount | grep shm
[16:43] <jsmith-argotec> ivoks: it's on tmpfs:  none on /run/shm type tmpfs (rw,nosuid,nodev)
[16:43] <jsmith-argotec> which is correct I believe?
[16:44] <ivoks> yes
[16:44] <ivoks> and /var/run/crm exists?
[16:44] <jsmith-argotec> in the strace there was something about libgpg-error right around the time of the HA signon error in the logs... is that something?
[16:44] <sarthor> Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please.
[16:45] <ivoks> is /var/run also tmpfs?
[16:46] <jsmith-argotec>  run is... tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
[16:46] <jsmith-argotec> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
[16:46] <jsmith-argotec> none on /run/shm type tmpfs (rw,nosuid,nodev)
[16:46] <ivoks>  /var/run
[16:46] <jsmith-argotec> don't see /var/run
[16:46] <jsmith-argotec>  /var/run -> /run
[16:46] <ivoks> do you have /var/run/crm?
[16:46] <jsmith-argotec> and run is on tmpfs
[16:47] <jsmith-argotec> yes
[16:47] <jsutherland> Our next server is likely going to be a Dell R730 or HP DL380 Gen9. Both run best with either Dell or HP branded SAS drives. What limitations would I run into if I use generic Seagate SAS drives?
[16:48] <ivoks> jsmith-argotec: and permissons on stuff in /var/run/crm look ok?
[16:48] <jsmith-argotec> umm no.. hang on
[16:48] <jsmith-argotec> all should be hacluster:haclient right?
[16:49] <ivoks> do you have another cluster running on the same network?
[16:49] <jsmith-argotec> no
[16:49] <jsmith-argotec> uhh wait
[16:49] <jsmith-argotec> maybe
[16:49] <ivoks> quite possible, i'd say
[16:49] <ivoks> and you didn't set authkey
[16:50] <ivoks> or change the multicast port
[16:50] <jsmith-argotec> let me check that!
[16:56] <jsmith-argotec> ivoks: yes there are two 2 node clusters... wasn't thinking about the other set the other admin setup.
[16:57] <ivoks> always use authkey in corosync
[16:57] <jsmith-argotec> but.. both have secauth on, authkey created, both have 2 rings on 2 seperate redundant nics (2 direct connect, 2 LAN), and all 4 are different mcast addresses
[16:57] <ivoks> always.
[16:57] <ivoks> you need to change mcast port
[16:58] <jsmith-argotec> so each cluster needs to use a different port at least on the common LAN even if different mcast addresses?
[16:59] <ivoks> which mcast addresses do you use?
[16:59] <jsmith-argotec> isn't that particular to corosync communications not pacemaker or am I way off?  'cause both nodes are members of the coro rings
[16:59] <ivoks> both?
[16:59] <ivoks> you have only two nodes?
[17:00] <jsmith-argotec> one cluster: mcastaddr: 226.94.1.1, mcastaddr: 239.192.0.1.  second cluster: 239.198.10.1,  239.199.20.1, all port 5405
[17:00] <jsmith-argotec> yes only 2 nodes in each cluster, 2 clusters
[17:01] <ivoks> er
[17:01] <ivoks> different mcast addresses on different nodes in the same cluster?
[17:01] <jsmith-argotec> I can pastebin the corosync.conf if you like?
[17:01] <ivoks> sure
[17:02] <ivoks> oh, those are different rings
[17:03]  * ivoks is around for next few minutes, and then I'm out of here
[17:03] <jsmith-argotec> http://paste.ubuntu.com/10076093/
[17:05] <ivoks> http://manpages.ubuntu.com/manpages/saucy/man5/votequorum.5.html
[17:05] <jsmith-argotec> this is the config from the 2 nodes that are having the issue
[17:05] <ivoks> SPECIAL FEATURES
[17:05] <ivoks> two_node: 1
[17:08] <jsmith-argotec> ivoks: but it has been working fine for months... or was that just dumb luck?
[17:10] <ivoks> it works while there's no distruption
[17:10] <ivoks> or if you reboot both at the same time
[17:11] <ivoks> if you reboot one by one, all kinds of things can happen
[17:11] <ivoks> i'm not sure that's the cause of your problem, but for start, your configuration is missing this important bit
[17:11] <jsmith-argotec> OK will correct that one
[17:29] <sarthor> Hi, I have ubuntu-server 14.04 running, when ubuntu export some text to pdf, I can not see arabic words in a proper way. irregular fonts showing, How can I fix this. HELLP please.
[17:43] <hallyn> jdstrand: hm.  well, the thing is, the libvirt-qemu file ends in '}', so appending a rule doesn't suffice :)  i wonder why it worked in the karmic case.
[17:44] <hallyn> i guess i'll just sed the file first...
[18:04] <hallyn> wait, that's messed up
[18:06] <hallyn> heh, mea culpa
[18:24] <jdstrand> hallyn: actually, it would suffice cause the '}' corresponds to the 'profile qemu_bridge_helper {' child profile
[18:24] <jdstrand> hallyn: (however, karmic didn't have that child profile)
[18:26] <hallyn> yeah;  so i'm trying ot figure out why it's still not working
[18:26] <jdstrand> hallyn: but if you're adding a rule that is covered by an explicit deny rule, remember that deny rules are evaluated after allow rules, so you may need a sed regardless
[18:26] <hallyn> mayb ei'll just do /tmp/** rw
[18:26] <hallyn> oh,
[18:26] <jdstrand> yeah
[18:26] <hallyn> i thought 'deny rules evaluated after allow rules' meant they are subservient
[18:26] <jdstrand> deny /tmp/** r,
[18:27] <jdstrand> /tmp/** r,
[18:27] <jdstrand> the deny always wins that
[18:27] <hallyn> near as i can tell i can't use testlib then
[18:27] <hallyn> or, i'll just make a backup and then sed to my heart's content, i guess
[18:27] <jdstrand> hallyn: you can-- just not with append
[18:27] <jdstrand> hallyn: read in the contents, remove the deny rules, add your rule, then replace the file without appending
[18:28] <hallyn> that seems more complicated
[18:28] <jdstrand> testlib should support what I just mentioned
[18:28]  * hallyn looks
[18:28] <jdstrand> it is, but it means you can simply use a _restore() in the tearDown
[18:29] <hallyn> i can still do that if i make the backup using testlib._bakcup
[18:30] <jdstrand> hallyn: _update_config in test-libvirt.py does basically what I said
[18:30] <jdstrand> hallyn: it could be much simpler for your case, but it is there for inspiration
[18:31] <hallyn> jdstrand: ok, thanks
[18:31] <jdstrand> np
[18:31] <hallyn> i'd thought this would be a quick fix, but i'm messing it up at each attempt :)  there's still another but to fix before we can release, sigh
[20:36] <jsmith-argotec> ivoks: I made the quorum change and both members rejoined.  Still getting the same error though
[22:41] <dtscode> hey guys... i followed this https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts but when i get to sudo a2ensite ts3.dtscode.io it says ERROR: Site ts3.dtscode.io does not exist! how can i fix this?
[22:52] <justizin> is it just me, or does trusty not have add-apt-repository? *looks confused*
[22:53] <justizin> i mean, i guess i can add it manually, it just seems like a lot of trouble has been gone to to make this simple..
[22:53] <justizin> apt-cache search add-apt-repository also comes up empty for me
[22:55] <sarnold> dtscode: did you name your config file with a .conf file extension? I think that's required
[22:56] <sarnold> justizin: it's in the software-properties-common package
[22:56] <dtscode> sarnold, thanks :D that did it
[22:56] <justizin> interesting.. i guess i have typically gotten that by installing python-software-properties, but it now installs python3-software-properties
[22:56] <justizin> i'll try to remember software-properties-common :)
[22:57] <justizin> also i guess the official ubuntu vagrant virtualbox image doesn't have it, not sure if it's expected to be present.
[22:57] <justizin> kind of seems like it makes sense to be, but i'm sure there was some long arcane e-mail flamewar that resulted in this decision. ;d
[22:57] <sarnold> I suspect the truth is less interesting than you suspect :) hehe
[22:59] <justizin> sarnold: likely. :)
[23:10] <justizin> btw tks sarnold!
[23:11] <sarnold> you're welcome justizin :)
[23:35] <arcsky> hello i have some ubuntu servers at work. i wonder if there are any good mangment tool for upgrade and maintain all the servers
[23:40] <sarnold> arcsky: many; landscape, ansible, puppet, chef, cfengine (ancient)