[00:33] <joren> Hey, I'm trying debug my tftpd server but it seems to have stopped logging to syslog. I verified that the --verbose flag is set but I just can't figure out where it's logging to. anyone have any reccomendations?
[00:37] <sarnold> joren: check old rotated log files
[00:38] <joren> I just tried running it with -L to stay in the foreground and still no output, I'm thinking my tftp requests might not be making it to the server which is why I'm not seeing any logs
[00:39] <sarnold> tcpdump? :)
[00:40] <joren> eh, yeah, might come to that :P
[00:45] <joren> I think the wrong darn dhcp server was running... ugh -_-
[00:46] <Patrickdk> I had a rather useless tcpdump today :(
[00:46] <Patrickdk> tcpdump on client machine
[00:46] <Patrickdk> can access one ip fine, but not another a few ip addresses away
[00:46] <Patrickdk> connection starts, ssl kindof gets setup, then server keeps sending dup packets, cause it doesn't get an ack
[00:47] <Patrickdk> since tcpdump was running on the client, it is not an issue of the client ack getting lost, they didn't exist in the tcp dump
[00:47] <Patrickdk> then like 50seconds later, some acks go out
[00:47] <Patrickdk> then another 50seconds, it figured it all out, and fixed the mtu scaleback
[00:47] <Patrickdk> insane, odd issue
[00:48] <sarnold> "50 seconds" sounds like spanning tree protocol pain
[00:48] <Patrickdk> want to look at the dump?
[00:48] <sarnold> nothanks :)
[00:48] <Patrickdk> :)
[00:48] <Patrickdk> it's not big :) thankfully
[00:49]  * X123 specializes in odd issues
[00:49] <Patrickdk> spanning tree running on the clients win 8.1 desktop? :)
[00:49] <sarnold> Patrickdk: ugh
[00:49] <Patrickdk> really odd, and I doubt that dump is a proper sample of our real issue
[00:50] <Patrickdk> that seems to be, likely, one of our clients got their domain *improperly* listed on virgins blacklist again
[00:50] <Patrickdk> they keep thinking it's some porn site, no idea why
[00:51] <sarnold> .uk? :)
[00:51] <Patrickdk> uk, plus other random parts of eu too
[00:51] <Patrickdk> but it seems virgin is the most *sensitive*
[00:56] <pmatulis> i think there's a joke in there somewhere
[00:59] <joren> "who-has es-pxe0" well that's not right, missing a dash :)
[03:10] <dtscode> hey guys... i followed this to a T, https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts and it worked before, but now its not working. any ideas why?
[03:11] <sarnold> dtscode: iirc, the apache initscript has a 'configuration check' option; it's worth running that to make sure the config file parses properly, no errors, etc..
[03:12] <sarnold> dtscode: if that doesn't report anything, check the logs, both for the specific virtualhost and generic error logs..
[03:12] <dtscode> ok
[03:12] <dtscode> and whats the init script again?
[03:12] <sarnold> /etc/init.d/apache or apache2 or similar.
[03:13] <dtscode> thanks
[03:13] <tdelam> I need openssl 1.0.2 due to pci scan, I installed openssl via apt-get, I noticed apt only has 1.0.1, how can I install 1.0.2? Do I revert to installing from source?
[03:14] <sarnold> tdelam: ugh. hate.
[03:14] <tdelam> sarnold: ?
[03:14] <sarnold> tdelam: I don't know why they always assume everyone builds their servers themselves...
[03:15] <tdelam> yea :(
[03:15] <dtscode> sarnold, im not seeing any help option. just {start|stop|graceful-stop|restart|reload|force-reload|start-htcacheclean|stop-htcacheclean}
[03:15] <sarnold> tdelam: completely ignoring that nearly everyone runs something like ubuntu or debian or rhel or sles and uses packages with backported security fixes....
[03:15] <sarnold> tdelam: maybe aim the auditor at this? http://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html
[03:16] <sarnold> dtscode: dang. maybe it's an apachectl command line option? I could have sworn it was offered by the initscript though :/
[03:16] <dtscode> maybe it just always does a sanity check?
[03:16] <sarnold> dtscode: but there should be a way t oget the sanity check without stopping a running server
[03:17] <dtscode> hmmm... ill have to google
[03:17] <sarnold> ... and get the messages to your terminal, rather than a log file ;)
[03:17] <tdelam> sarnold: I've tried to argue with this but given the size of the company they only live on version number consistency. Sadly, we got bought out and now we're stuck trying to satisfy bigwigs.
[03:17] <tdelam> I don't do IT, I just have access and know my way around Ubuntu from using it at home. Tthis is a bandaid solution until migration is complete.
[03:18] <tdelam> I build software, not mess with this stuff :(
[03:18] <sarnold> tdelam: this one feels worth pushing back on -- you'd have to rebuild all your services that use openssl to use your own from-source openssl
[03:18] <sarnold> tdelam: .. and then you'd have to keep up on the security updates for openssl and all your other services yourself. That's what we're here for. :)
[03:18] <tdelam> sarnold: well, happily this server is only a proxy server that onnly forwards requests to one web site. SSL is not even being used
[03:18] <sarnold> tdelam: ha! sigh.
[03:19] <dtscode> dtscode@dtscode:~/ackbot$ apache2ctl configtest
[03:19] <dtscode> Syntax OK
[03:19] <tdelam> yea, sarnold... I know.
[03:19] <sarnold> dtscode: nice :)
[03:19] <dtscode> :/
[03:19] <sarnold> dtscode: so, time to go hunting through log files...
[03:19] <tdelam> couldn't I just remove it?
[03:19] <dtscode> sarnold, meh. i was hoping it was the issue. easy fix. yep. log file time
[03:19] <sarnold> tdelam: maybe. worth a shot...
[03:20] <sarnold> tdelam: d'oh. that'd remove openssh-server. that's not going to be a good solution.
[03:20] <tdelam> sarnold: that's what I will do. Not a single thing OpenSSL is being used on this server, this server is nothing but a bandaid.
[03:20] <tdelam> oh ssh has to be turned off
[03:21] <sarnold> o_O
[03:21] <tdelam> it's not even running, hasn't been in a few months. I do this all through some ugly java console.
[03:21] <sarnold> what a wacky auditor..
[03:21] <tdelam> I hate it.
[03:21] <sarnold> *ahem* how's the resume?
[03:21] <sarnold> sounds like a silly place to work
[03:22] <sarnold> sorry :)
[03:22] <tdelam> sarnold: I turned it off. I will ask him to do a dryrun before our official PCI scan in a few days.
[03:22] <tdelam> sarnold: I don't work there anymore, I do some contract still at a VERY high rate.
[03:22] <sarnold> tdelam: sweet. :)
[03:23] <tdelam> Yep, thanks sarnold. All else fails; delete.
[03:31] <dtscode> how can i tell what {APACHE_LOG_DIR} is?
[03:34] <sarnold> dtscode: it's probably /var/log/apache*
[03:34] <sarnold> hehe
[03:41] <dtscode> ah thanks
[03:44] <dtscode> nothing helpful in the logs :/
[03:45] <sarnold> what helps me debug webservers is to have a tail -F *  in the log directory, then start hitting it with requests -- watch them as they happen..
[05:58] <edenist> hey
[06:00] <Anteac> anyone experienced with ispconfig autoinstaller?
[07:10] <bigbrovar> hello guys.. am kinda new to quotas especially warnquotas.. I have setup quota for users in an nfs home dir.. that is working fine..  i read warnquota can mail any user who has gone past its soft limit.. my questions is... how can I indicate to warnquota the user email address. how does it determine the user email address.. I can't seem to find this information anywhere and this don't seem to be anywhere in the config where this info can be stat
[07:10] <bigbrovar> ed
[07:48] <arcsky> sarnold: thanks
[07:49] <arcsky> morning, which ones do you guys recommend  landscape, ansible, puppet, chef, cfengine (ancient) ?
[07:54] <Sling> for doing what, in what environment, scale, etc
[07:55] <eren> hello
[07:56] <eren> where are the source packages for openstack juno release? I can get the sources with "apt-get source" but I would like to see the source packages in some kind of a git tree
[07:56] <eren> is it how it's developed?
[07:56] <Sling> eren: probably better to ask in #openstack
[07:56] <Sling> unless you specifically mean the ubuntu openstack package development
[07:57] <eren> Sling: I'm asking for ubuntu openstack package development
[07:57] <arcsky> i just have few (5-10) ubuntu servers i our company. and has not scale that good lets say 10 more. in next few years. running DNS,NTP,FTP,HTTP. Finance industry so has to be high focus on security
[07:57] <eren> kernel team maintains git repository so that I can checkout and create debian packages
[07:57] <eren> I would like to, if possible, do the same with openstack packages
[08:03] <Sling> eren: can't seem to find it, weird launchpad stuff
[08:03] <Sling> I ended up at https://jenkins.qa.ubuntu.com/view/Openstack_Testing/view/Juno/
[08:04] <Sling> perhaps that gives some lead to where the actual repositories are with src :)
[08:14] <eren> Sling: thanks! :) I guess I need to ask the actual maintainers. I hope it's in git repository
[08:14] <eren> bzr stuff is really a pain
[08:15] <Sling> indeed
[08:15] <Sling> semi-opensource
[08:29] <MaamuT> hi all \o
[08:30] <MaamuT> sorry for my funny english, i'm french ;)
[08:31] <MaamuT> 2 server with ubuntu 14.04 TLS
[08:31] <MaamuT> in both : apt update
[08:31] <MaamuT> in first : Hit http://mirrors.gandi.net trusty/main amd64 Packages
[08:32] <MaamuT> in second : Hit http://mirrors.gandi.net trusty/main amd64 Packages 404 Not Found
[08:32] <MaamuT> oops
[08:32] <MaamuT> in second : Err http://mirrors.gandi.net trusty/main amd64 Packages
[08:32] <MaamuT> arg, sorry
[08:32] <MaamuT> in first : Hit http://mirrors.gandi.net trusty/main amd64 Packages
[08:33] <MaamuT> in second : Err http://mirrors.gandi.net trusty/main amd64 Packages 404 Not Found
[08:33] <MaamuT> same sources.list on both
[08:33] <MaamuT> same provider
[09:23] <eren> Sling: just got an email from maintainer, apperantly it's developed in bzr and lp, not git
[09:23] <eren> need to learn bzr workflw
[09:24] <lordievader> Good morning.
[10:16] <YamakasY> hu guys!
[10:17] <YamakasY> does someone have a good example for the sources.list without the i386 issues ?
[10:59] <pruttel> Should sudo be a primary group for a sudo user or does this user only need to be member (what's the difference?)
[11:01] <pruttel> From what I read now, I think, it does not need to be a primary group.
[12:11] <rbasak> jpds: any opinion on bug 1418287 please? Do you have time to look it it before feature freeze?
[12:11] <rbasak> https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1418287
[12:14] <jpds> rbasak: Surely we can just sync from Debianfor unbound?
[12:15] <jpds> rbasak: All we did in the Ubuntu package was enable the testsuite for main inclusion.
[12:17] <rbasak> jpds: I see a fair few more changes than that: https://launchpad.net/ubuntu/+source/unbound/+changelog
[12:17] <rbasak> jpds: a sync would be fine if the delta can be dropped, but I'm not familiar with the changes and so am not sure without further investigation.
[12:19] <jpds> rbasak: I'll have to look at things once I'm back from the sprint.
[12:19] <jpds> Looking at the build logs, Debian still hasn't enabled the testsuite... :(
[12:20] <rbasak> jpds: thanks!
[12:30] <bigbrovar> hello guys.. am kinda new to quotas especially warnquotas.. I have setup quota for users in an nfs home dir.. that is working fine..  i read warnquota can mail any user who has gone past its soft limit.. my questions is... how can I indicate to warnquota the user email address. how does it determine the user email address.. I can't seem to find this information anywhere and this don't seem to be anywhere in the config where this info can be stat
[12:30] <bigbrovar> ed
[12:44] <arcsky> what ubuntu mangment tool do you guys use for maintain your ubuntu servers?
[12:50] <henkjan> arcsky: mostly apt and vim :)
[12:52] <YamakasY> does someone have a good example for the sources.list without the i386 issues ?
[12:54] <arcsky> henkjan: i mean system for mangement like apt-get update on all. GUI wise
[14:00] <nivv> Hey guys! I have a group called www-data. This group is the owner of the folder /var/www/site
[14:00] <nivv> I then have a user called mongo
[14:00] <nivv> mongo can create files fine because he's in the www-data group.
[14:00] <nivv> Then comes the user foobar and wants to edit the file mongo created, but he cant. Permission denied.
[14:01] <nivv> This is because the file that mongo created didn't inherit the permission of the folder
[14:01] <nivv> Why is that?
[14:01] <ikonia> what groups is the usuer foo in ?
[14:01] <nivv> www-data
[14:01] <ikonia> what is the permissions on the file
[14:01] <nivv> 644
[14:02] <ikonia> so there you go
[14:02] <ikonia> no write permission
[14:02] <nivv> yes
[14:02] <teward> nivv: 644 is too restrictive - that's -rw-r--r--
[14:02] <nivv> I want user created files to be 664
[14:02] <nivv> -rw-rw-r--
[14:03] <nivv> but when Mongo creates a file it becomes 644 automatically
[14:03] <ikonia> then set the umask
[14:03] <nivv> Yes, ikonia , I've read some about it and ppl are saying it's a bad idea
[14:03] <nivv> can you set umask on folder level?
[14:03] <ikonia> if it's a bad idea, why do you want to do it ?
[14:04] <jrwren> setfacl should let you, yes.
[14:04] <nivv> Nevermind, I don't know
[14:04] <nivv> basically I want all users in the www-group to be able to edit files in /var/www
[14:04] <nivv> and it shouldn't matter who created them
[14:04] <nivv> as long as they are in the www-data group of course
[14:06] <ikonia> you'll need to set either ACL's or the umask
[14:06] <nivv> hm okay
[14:06] <teward> nivv: I question the need to put users into www-data anyways, because if it's a standard user without admin rights they could easily get db auth data and hijack the site and the db
[14:07] <teward> but that's just my security paranoia at work
[14:07] <nivv> teward, that's true I suppose
[14:07] <nivv> doesn't really fix my problem though
[14:07] <nivv> :)
[14:08] <teward> nivv: no, it doesn't, i'm just making that security concern of mine known - you'll either need to set ACLs or the umask to do what you want to
[14:09] <nivv> Yup, trying to find some good resources on how to do that
[14:10] <nivv> teward, ik
[14:10] <jrwren> nivv: setfacl -m d:g:www-data:rw /var/www/
[14:10] <nivv> ah yiss
[14:11] <jrwren> nivv: if you are publishing web content from multiple editors, there are likely many other better ways to do it.
[14:11] <jrwren> nivv: keep your web content in source control and use a post commit hook to publish to the server for example.
[14:11] <nivv> jrwren how so? The other guys are using sftp, the don't even know what git is
[14:11] <nivv> they*
[14:12] <nivv> jrwren yea, that would be ideal, but we have many small projects using the same cms, that is source controlled. can't really update all of them if I push a commit
[14:12] <jrwren> nivv: I'm idealizing the world. Now is a great time for them to learn :)
[14:12] <nivv> jrwren they're still using asp classic -.-
[14:13] <jrwren> nivv: good times that was.
[14:19] <nivv> jrwren what does the "d" and "g" mean in d:g:www-data:rw /var/www/
[14:19] <jrwren> nivv: default. it sets the default for new files.
[14:21] <nivv> jrwren okay, it didn't work :)
[14:22] <nivv> It seems that if I create a folder it sets the permissions correctly, but not new files
[14:22] <nivv> or scratch that, it doesnt
[14:23] <jrwren> nivv: filesystem mounted with acl support?
[14:23] <nivv> huh nope
[14:23] <nivv> shieet
[14:24] <nivv> that's sounds like a big thing to change?
[14:24] <jrwren> nivv: no. update /etc/fstab and mount /PATH -o remount,acl
[14:25] <nivv> is that all? I'm on a hosted vps, and that sounds scary :D
[14:25] <nivv> isn't there any other way? ;)
[14:25] <nivv> jrwren what does the PATH refer to?
[14:26] <jrwren> nivv: whatever the mount point is. probably /, but you might have /var/www elsewhere.
[14:27] <nivv> jrwren seems like standard /var/www ? https://www.dropbox.com/s/6xapm303nwi41f5/Sk%C3%A4rmklipp%202015-02-06%2015.27.28.png?dl=0
[14:28] <jrwren> nivv: mount will show you which filesystems are mounted at which points.
[14:29] <nivv> https://www.dropbox.com/s/193k1ce1ges3as7/Sk%C3%A4rmklipp%202015-02-06%2015.29.06.png?dl=0
[14:29] <jrwren> nivv: yeah, go for it with / then.
[14:30] <jrwren> nivv: a bit strange that you don't have devfs, sysfs, procfs and tmpfs mount points showing.
[14:30] <nivv> Do I have to reboot or how do I remount?
[14:32] <nivv> jrwren like this? https://www.dropbox.com/s/3wfrlhse5t0kjpx/Sk%C3%A4rmklipp%202015-02-06%2015.32.07.png?dl=0
[14:33] <jrwren> nivv: no no no
[14:33] <jrwren> nivv: undo all that.
[14:33] <jrwren> nivv: lets not touch fstab for now, K?
[14:33] <nivv> hah, sure!
[14:33] <jrwren> nivv: sudo mount -o remount,acl /
[14:33] <jrwren> nivv: just that.
[14:33] <jrwren> nivv: then try that setfacl again.
[14:34] <jrwren> nivv: use getfacl to confirm that the setfacl worked.
[14:34] <nivv> hm, this seems somehow safer http://superuser.com/questions/612771/how-to-set-umask-for-a-folder-and-its-subfolder
[14:34] <jrwren> nivv: if you can get that to work, go for it! :)
[14:34] <nivv> I mean safer in a "at least I didnt bring down the server kind of way"
[14:35] <jrwren> we have different definitions of safety in that regard :)
[14:38] <jsmith-argotec> ivoks: you around?  still working on that pacemaker problem if you have a few minutes to help troubleshoot
[14:38] <nivv> jrwren hm, I guess
[14:39] <zzxc> Hey how do I change the mailserver from mailx to mailutils in ubuntu 14.04?
[14:40] <zzxc> or more accurately the "mail" command.
[14:40] <nivv> jrwren what should happen when I run sudo mount -o remount,acl / ?
[14:40] <nivv> should I do the setfacl after that?
[14:40] <nivv> I've already did it once
[14:41] <jrwren> nivv: use getfacl to read the acls and see if you need to do it again.
[14:41] <nivv> jr
[14:42] <nivv> jrwren now or after? https://www.dropbox.com/s/rg9pi05lfbh3s5u/Sk%C3%A4rmklipp%202015-02-06%2015.42.37.png?dl=0
[14:43] <jrwren> nivv: looks like the setfacl did not work because the fs was not mounted with acl support.
[14:43] <nivv> When I did "sudo mount -o remount,acl /" I got bad option
[14:43] <nivv> okay good
[14:43] <nivv> "mount: / not mounted or bad option"
[14:45] <jrwren> nivv: works for me. Sorry. I don't know why that would fail.
[14:46] <nivv> jrwren alright!
[14:48] <nivv> jrwren, it's strange that this little task i so complicated
[14:49] <nivv> I mean, why even have group if the group doesn't allow the group to edit the files :)
[14:51] <jrwren> nivv: it does of course. group has rwx, just like user and everyone
[14:52] <nivv> Yeah but if a new file is created then it should be applied to the new file as well
[14:54] <jrwren> nivv: should it? there is strong argument for both.
[14:55] <nivv> jrwren, the only solution for us is to either to use ACL. Which seems to be a pain to setup, or we both have to use the same account :/
[14:56] <jrwren> nivv: many other possible solutions when you take a step back and try to solve the bigger problem.
[14:56] <nivv> jrwren I knowm I know
[14:56] <jrwren> nivv: did you try http://superuser.com/questions/612771/how-to-set-umask-for-a-folder-and-its-subfolder yet?
[14:57] <nivv> yes, But then you said something concerning security so I passed on that one :)
[14:57] <nivv> you see, I'm like a 5 yr old child, if someone tells me something, it's the absolute truth
[14:57] <nivv> :D
[14:58] <nivv> it  did work, I tried it, but I don't know what consequences it might have on security.
[15:02] <jrwren> nivv: it wasn't me. someone else said something about security :)
[15:02] <nivv> Hah, alright
[15:02] <nivv> I mean, if I set the umask to 002 then only users in the www-group can edit the files right?
[15:08] <jrwren> nivv: no. you should probably read and fully understand modes and masks
[15:10] <nivv> jrwren really a shame that I have to go. I need to get better at his. I
[15:11] <nivv> The folder I'm talking about is owned by the group www-data, then that would only allow users in the www-group to edit the files?
[15:14] <nivv> jrwren thanks for the help though!
[16:20] <coreycb> zul, also need python-oslo.context in vivid
[16:20] <coreycb> in adition to the oslo bumps
[16:21] <zul> coreycb: it should be there
[16:21] <zul> coreycb:  bah
[16:21] <coreycb> yeah not seeing it unless I spelled it wrong
[16:35] <coreycb> zul, test-requirements.txt for ceilometer needs gabbi(?) and pyhon-elasticsearch (in universe)
[16:35] <zul> wtf is gabbi?
[16:36] <coreycb> zul, https://pypi.python.org/pypi/gabbi/0.1.1
[16:37] <zul> seriously
[18:20] <lucidguy> Just enabled/configed eth1, it is responding to the network but iftop and iptraf does not seem to log any traffic, thoughts?
[18:46] <sarnold> lucidguy: perhaps they enumerated the interfaces at start and don't periodically re-enumerate interfaces? check the docs, sometimes you can send daemons a signal to force them to re-initialize themselves
[20:00] <adebayo> hi, pls i need help concerning openvswitch
[20:01] <adebayo> there is a problem with the latest kernel and i need to remove it to install another one
[20:01] <lucidguy> hmm, I have an ubuntu server that traffic packets were custom/changed to go out certain devices depending on source nic, where does one set that?
[20:06] <sarnold> adebayo: run this to see what kernel versions you have installed: dpkg -l 'linux-image*' | awk '/^ii/ {print $1, $2, $3}'
[20:07] <sarnold> adebayo: if one of those will suffice, you ought to be able to select a new kernel at the grub prompt when you reboot, if you have console access
[20:11] <adebayo> I was told the one i install is  Package: openvswitch-datapath-dkms 2.0.2-0ubuntu0.14.04.1 which is causing the problem and i need to install another one without the datapath which i dont know how to
[20:12] <adebayo> sarnord: can you pls help me out with that
[20:13] <sarnold> adebayo: ah, so you need a different version of the module?
[20:17] <adebayo> yes
[20:17] <sarnold> adebayo: apt-get install openvswitch-datapath-dkms=..... -- where the ... are the version that you need; apt-cache show openvswitch-datapath-dkms  ought to show you the versions that are available
[20:18] <adebayo> i have run the command you gave me the kernel is 3.13.0.45.52 amd64
[20:27] <adebayo> hi sarnold
[22:35] <Aison> is there some ppa with bacula version 7 packages for ubuntu
[22:36] <Aison> ubuntu bacula packages are quite old