/srv/irclogs.ubuntu.com/2015/02/25/#ubuntu-server.txt

=== Lcawte is now known as Lcawte|Away
=== martins-afk is now known as martinst
=== pleia2_ is now known as pleia2
=== markthomas is now known as markthomas|away
=== rcj is now known as Guest72514
=== CiPi is now known as cipi
=== Odd_Blok1 is now known as Odd_Bloke
lordievaderGood morning.09:24
=== kickinz1|afk is now known as kickinz1
=== Lcawte|Away is now known as Lcawte
PrezidentMorning11:21
haitharHi all! I'm a ~beginner sysadmin and currently working on moving 10+ reverse proxies (on old Fedura, CentOS etc.) to Ubuntu LTS. I've installed Ubuntu 14.04.1 LTS and its Squid (3.3.8) has a serious bug ( http://bugs.squid-cache.org/show_bug.cgi?id=3806 ) that basically means Squid won't cache much in real life. (It doesn't cache any item with a Va11:45
haitharry HTTP header - and that's often used on HTML, CSS and JS files.) What do you think I should/could do? Use Ubuntu 12 LTS? Or maybe that non-security patch could be included in 14 LTS? (Well it is indeed hardening existing functionality.)11:45
jpdshaithar: That bug is fixed on 3.3 ?11:46
haitharjpds: will check now11:47
jpdshaithar: At least, that's what hte bug report says.11:47
jpdshaithar: My squid proxies are caching things just fine.11:47
haitharjpds: yeah, http://bugs.squid-cache.org/show_bug.cgi?id=3806#c11 says it's in 3.311:47
jpdshaithar: OK, are you saying that there's a regression?11:48
haitharjpds: as far as I understand the problem, yes, eg. if you upgrade 12 LTS to 14 LTS and Squid is upgraded, most objects* won't be cached anymore. (*: For a generic website serving images and HTML-JS-CSS files.)11:49
jpdshaithar: Have you reported a bug about about this regression?11:50
haitharjpds: it caches images, favicon.ico, ZIP etc. just fine, only MISSes files with a Vary header.11:50
haitharjpds: no. I'm all new to Ubuntu server support. I don't even know where to report it. I wasn't even aware of the fact that this is indeed a regression :)11:50
jpdshaithar: Well, what I'm saying is: that bug was reported against squid 3.2, and the squid guys say that it's fixed in 3.3.11:51
jpdshaithar: So you shouldn't be seeing the issue on 3.8 in Ubuntu.11:51
haitharit's 3.3.811:51
jpdsSorry, same thing.11:51
Odd_Blokejpds: It was applied to the 3.3 branch, not released in 3.3.11:52
Odd_BlokeLooking at dates on http://www.squid-cache.org/Versions/v3/3.3/, it was probably released in 3.3.12.11:52
jpdsHmm.11:52
haithargot that, indeed it was fixed in 3.3.1211:53
jpdsI see.11:53
lordievader!info squid3 utopic11:54
ubottusquid3 (source: squid3): Full featured Web Proxy cache (HTTP proxy). In component main, is optional. Version 3.3.8-1ubuntu8.1 (utopic), package size 1797 kB, installed size 6408 kB11:54
Odd_BlokeThis looks like https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/133674211:54
lordievader!info squid3 vivid11:54
ubottusquid3 (source: squid3): Full featured Web Proxy cache (HTTP proxy). In component main, is optional. Version 3.3.8-1ubuntu9 (vivid), package size 1810 kB, installed size 6419 kB11:54
Odd_Blokes/looks like/is/11:54
jpdshaithar: Best to file a bug at: https://bugs.launchpad.net/ubuntu/+source/squid3/11:55
Odd_Blokejpds: haithar: It's already filed as bug 1336742.11:55
haitharOdd_Bloke: yep, that's that11:55
haitharI belive I downloaded and installed all patches after installing Ubuntu 14.04.1 LTS; should I have this fix already?11:56
Odd_Blokehaithar: It hasn't been fixed in Ubuntu.11:56
haitharAh I see. I looked up the status triaged, so I guess 14 LTS will eventually get this patch - great stuff! Knowing the ins and outs of the Ubuntu Server fixes-patches workflow, do you think you can guess when/if this gets shipped?11:59
Odd_Blokehaithar: So, generally, the fix lands in the development release and is backported.12:00
Odd_BlokeBut vivid is feature frozen at the moment, so someone would need to get a feature freeze exception before that could happen.12:00
haitharoh sugar now I see it enters beta freeze just tomorrow12:02
haitharWe're doing core app server upgrades (from 10 LTS) that looks a lengthy process, and have to install good proxies before we touch the core. Even if this fix made it into vivid, when do you think would it realistically available as a patch autoinstalled?12:04
haithar(Weeks? Months? I'm not even sure about the order of magnitude :) )12:05
Odd_Blokehaithar: It's difficult to know; it depends on someone deciding that they care about it enough to do it. :p12:05
haitharIs there a way to sponsor merges?12:06
Odd_Blokehaithar: Not 100% sure what you're asking. :)12:07
haitharTo offer some cash or reward if someone would be so kind to push this through vivid and trusty. (Do the merges, raise the exception etc. For the person or for the Ubuntu project, or to a charity etc.)12:09
haitharI'd do it myself but I'm not a C programmer and I know nothing about the Ubuntu bugfixing/merging/release mechanism.12:10
nobody44we use Ubuntu LTS 14.04 on our servers + tomcat 7 and java 7. What happens to the openjdk package when oracle stop supporting Java 7? Or does this only concern the Oracle JDK / JRE 7 package users?12:14
Odd_Blokehaithar: Not really that I know of; I've pinged the people looking at that bug, and they aren't likely to get to it.12:17
Odd_Blokehaithar: (I also had a quick look myself, and I'm out of my depth)12:17
haitharOdd_Bloke: so is my understanding right that if I need to set proxies up in about 2-4 weeks, maybe I shouldn't wait for this fix to appear in trusty?12:36
haitharWhat'd you recommend, going for 12 LTS or installing the latest stable Squid on 14 LTS and manually monitor+upgrade it every time? Or is there another way?12:36
rbasakhaithar: thank you for bringing this up. I've only just caught up with this discussion. It'd be improper for me to take your money, since I'm already paid by Canonical. But it's fine if you can find an independent Ubuntu developer to pay to prioritise this for you, or you can pay Canonical for support to fix this for you. They'll be able to tell you if 2-4 weeks is realistic.12:37
rbasakAlternatively this sounds like something that someone will get round to fixing eventually, but 2-4 weeks seems unrealistic to me.12:38
rbasakI might get to it in 2-4 weeks, but I get pulled away in all sorts of directions all the time.12:39
rbasakYou could try and submit a fix yourself for sponsorship (not money - just review and upload to Ubuntu), but I guess you've ruled that out because of your skillset?12:39
haitharYes, I wouldn't dare to touch C code after not coding in that for 10+ years, and I'm sure I can't code a proper regression test within a reasonable time.12:43
haitharrbasak: Do you know a ballpark number for the Canonical support needed to push this right down to trusty? (Again, I'm not even sure about the order of magnitude, whether it's in the 100+ EUR or in the 1000+ EUR range.)12:45
haitharrbasak: and thanks for looking into this!12:45
rbasakhaithar: I'm not really sure, sorry - it's a different department here. I think you might need an Ubuntu Advantage contract - details are on the website. Maybe someone like pmatulis knows more? ^^12:52
rbasak(or to whom to pass this to?)12:53
nobody44I just saw an update for OpenJDK 6... oracle dropped support a long time ago. Is canonical supporting this OpenJDK 6 (and in the future 7) package?12:55
nobody44I just don't understand how those LTS releases "work"... who fixes the security issues in those OpenJDK releases?12:56
rbasaknobody44: depends on whether it is in main or universe on the release you're using. If in main, Canonical commits to supporting it. If the vendor drops support they'll still do what they can.12:59
rbasakLooks like OpenJDK 6 was in main until 12.04 LTS. Since 14.04 LTS it's OpenJDK 7 that's in main.12:59
rbasakHowever, it looks like OpenJDK 6 in universe in 14.04 has had a security update. These still happen in universe if somebody in the community puts the correctly backported fix forward.13:00
nobody44rbasak: so Canonical "guarantees" support for OpenJDK 7 in Ubuntu 14.04 LTS13:00
nobody44rbanffy: even if Oracle drops support for Oracle JDK 7...13:01
rbanffyrbasak, we need to talk about these namespace collisions...13:01
RoyK:P13:02
rbasakBoth "guarantee" and "support" are weasel words that have no strict meaning in English, but essentially yes - they'll continue backporting fixes as possible even if upstream drops support. But if nobody knows of a vulnerability then it won't get fixed, just the same as any other package.13:02
Odd_Blokefrom canonical.maas import rbanffy13:02
rbasakrbanffy: :-/13:02
rbasak(vendor support or no)13:03
nobody44rbasak: ok, thank you for your help13:03
=== njalk_ is now known as njalk
=== liam_ is now known as Guest95654
haitharIf supporting this Squid fix doesn't work out, what'd you recommend, going for 12 LTS or installing the latest stable Squid on 14 LTS and manually monitor+upgrade it every time? Or is there another way?13:18
pmatulishaithar: how many servers are you talking about?13:19
haithar10+13:19
pmatulishaithar: i would just install 12.04 LTS13:19
rbasakpmatulis: can haithar buy UA and have Canonical sort this out for him? I wasn't really sure.13:20
rbasak(he was asking about how he could spend money to fix this)13:20
pmatulisUA should not be seen as a bug-fixing service.  things can get escalated to an engineering team and get fixed, sometimes via PPA until the fix is in the archive, but they can also be rejected13:22
haitharplease define:PPA (Pay Per Annum?)13:24
RoyK!ppa13:25
ubottuA Personal Package Archive (PPA) can provide alternate software not normally available in the offical Ubuntu repositories - Looking for a PPA? See https://launchpad.net/ubuntu/+ppas - WARNING: PPAs are unsupported third-party packages, and you use them at your own risk. See also !addppa and !ppa-purge13:25
haitharwow ok:)13:25
haitharThanks for the info. Indeed UA looks more like a subscription for general support and I also haven't found something there that'd suggest it's a way to push a regression through. Thanks for the confirmation.13:26
pmatulisbut a UA PPA can be supported, or unsupported13:26
rbasakpmatulis: OK, thanks. I didn't really understand before. So we don't really have a solution for users with valid bugs who want to pay for them to be fixed?13:27
rbasakI wish we did have a good answer for that.13:27
pmatulisrbasak: again, we fix bugs, but there is no guarantee.  UA is not a mercenary/bounty service.  it is an enterprise-level support service13:51
=== bilde2910|away is now known as bilde2910
Odd_Blokerbasak: There are certainly consultancies which will do that.13:52
QuoexlEHLO13:56
=== Guest72514 is now known as rcj
=== rcj is now known as Guest22529
haitharAny idea how can I find someone to do that? (Apart from googling of course.) Any directories, wiki pages listing people/companies open to do paid support?14:08
QuoexlI'm sorry I missed what you are trying to do14:09
haitharAh sorry. It's about finding someone who could push https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1336742 this though to trusty.14:10
haithars/though/trough/14:10
QuoexlI'm terribly sorry but squid and me have had problems since dapper14:11
Quoexlknow anything about videowhisper conference?14:16
=== kickinz1 is now known as kickinz1|afk
=== kickinz1|afk is now known as kickinz1
=== zz_DenBeiren is now known as DenBeiren
=== strikov is now known as strikov-lunch
=== strikov-lunch is now known as strikov
fidothehey there. We're booting Ubuntu instances in EC2, from the Ubuntu Cloud AMI. cloud-init sets the main APT repos to be S3 mirrors for the region / zone (i.e. eu-central-1a), but leaves security at security.ubuntu.com. Is there any problem with using the S3 mirror for this too? (we've been seeing DL speed from security.ubuntu.com < 400kbps all day, which is16:10
fidotheadding minutes to boot-and-bootstrap times...)16:10
rbasakfidothe: using security.ubuntu.com minimises delays16:28
rbasakOtherwise you might be waiting a while until your mirror picks up the most recent security updates.16:28
rbasakHowever, I believe that every security update is pushed to -updates too, although it's probably worth checking with a security team member on that in #ubuntu-hardened.16:29
fidotherbasak: yeah, but these are Canonical-run mirrors, so presumably more reliably synced?16:29
rbasakPresumably. Do they mirror the security pocket?16:29
rbasakFor security issues though, it might be better to not assume anything, and go straight to the source.16:29
fidotherbasak: AFAICT (i.e. I can get the Release file just fine)16:29
fidotherbasak: apt-get update was taking > 10 minutes16:30
rbasakSo it sounds like it'll work. But unless someone says otherwise I wouldn't recommend it.16:30
fidothewhich is long enough for booting instances to be culled by health checks...16:30
rbasakMaybe check out and fix why security.ubuntu.com is being slow? (Not necessarily your end, but it should be fixed)16:31
rbasakRather than a workaround which gives you worse security (or at the risk of a mirror issue giving you a security issue)16:31
DavieySecurity updates hit -updates aswell, but there is a window between when it hits s.u.c to the mirror you are using.  Your primary mirror should be ordered first, so if the update is there - you should get the prioritized full speed mirror16:32
DavieyCheck what is causing the delay, is it just downloading the indexes (apt-get update) or are you pulling down kernels or similar from s.u.c16:34
=== markthomas|away is now known as markthomas
fidotheDaviey / rbasak: it was just pulling down the indexes17:11
fidotheAnd the #ubuntu-hardened tip is a good one, thanks17:12
mgagneI would like to know when Ubuntu switched from qemu-kvm source tree to qemu. I found conflicting info17:20
mgagnein README.Debian, it's since 14.04: http://launchpadlibrarian.net/186695491/qemu_2.0.0%2Bdfsg-2ubuntu1.5_2.0.0%2Bdfsg-2ubuntu1.6.diff.gz17:20
mgagneAccording to wiki, it's since 12.10: https://wiki.ubuntu.com/QemuPTMigration17:20
RoyKout of curiosity, what's the big difference?17:21
mgagneone is that machine types from qemu-kvm are not compatible with the ones found in qemu. And it matters a lot if you perform a live migration.17:21
rbasakhallyn might be able to help ^^17:22
RoyKmgagne: qemu is the better?17:22
mgagneRoyK: it's the new source. previous one looks to be a fork or something. but tbh, I don't care that much as long as I can perform my live migration =)17:23
hallynrbasak: https://wiki.ubuntu.com/QemuPTMigration17:24
RoyKmgagne: do you have something setup to autostart VMs if a host in the cluster goes down?17:24
RoyKmgagne: and btw, what sort of clustering/storage do you use for this?17:24
mgagneRoyK: we are using openstack17:24
RoyKok17:24
mgagneRoyK: the original issue is: I can't live migrate instances from QEMU 1.5 to QEMU 2.0.17:25
RoyKok17:25
mgagnehallyn: which info source is right? the wiki or README.Debian?17:26
* RoyK guesses README.Debian17:27
mgagnebecause the wiki mentions the "incoming_assume_qemukvm" config which in fact got renamed before packaging for "allow_incoming_qemukvm"17:28
mgagneI opened a bug: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/142561917:46
Zeelot3kgood morning! this seems like a more accurate place for my server questions :)19:02
Zeelot3kcan anyone here tell me (in an upstart script) when I should be using `start-stop-daemon`? I don't see what it provides over a simple `exec`. doesn't upstart already monitor and manage my process for me? so what does start-stop-daemon do on top of that?19:02
=== Lcawte is now known as Lcawte|Away
sarnoldZeelot3k: I suspect you don't need start-stop-daemon in upstart configurations; if you see it used, it might have just been because it was easier to copy-and-paste it from an old init script that used it..19:11
Zeelot3ksarnold: I see. The only reason I can find so far is if I need to run different parts of the init script as root while changing user for the main process. And I also need to be able to generate a pid file which upstart does not do for me (from what I can tell)19:14
Zeelot3kso if I need those two things… valid to use `start-stop-daemon`?19:15
tewardsarnold: is there documentation on creating systemd init scripts and such?  Like, what the structure is, etc.19:16
sarnoldZeelot3k: do you strictly need the pid file? iirc upstart doesn't care about one, and most tools that relied upon them are slightly racy anyway...19:16
sarnoldteward: I think pitti put most of the work into this: https://wiki.ubuntu.com/SystemdForUpstartUsers19:16
Zeelot3ksarnold: I'm using Monit and I don't see a way to tell it to ask Upstart for the pid :(19:17
sarnoldteward: 90% of what I know about systemd came from skimming that file :)19:17
sarnoldZeelot3k: ahhhhh19:17
tewardsarnold: mmm, see, I mean from scratch - I mean, I could dig into, say, the nginx or apache or any other systemd init script but i'm lazy :P19:17
Zeelot3kany suggestions? I was a little disappointed by the Monit capabilities19:18
=== duxklr is now known as jemurray-wustl
Zeelot3ksarnold: inspeqtor seems to support Upstart specifically: https://github.com/mperham/inspeqtor/wiki/INQ-Configuration19:28
sarnoldZeelot3k: there are some uses of $$ in the upstart cookbook, you might be able to printf $$ > /path/to/pidfile  or something similar: http://upstart.ubuntu.com/cookbook/19:30
Zeelot3kthanks will take a look19:34
Zeelot3kcookbook site isn't loading heh but I'll check back later19:34
sarnoldZeelot3k: dang, I waited until it loaded for me before pasting the url. (it was being rebooted when I first wanted it, heh)19:37
Zeelot3khehe it finally came back19:37
Zeelot3kI think I want to fix the monitoring tool before hacking things into my init scripts19:37
Zeelot3kupstart already knows the pid so there isn't a real reason for me to write pid files19:38
=== martins-afk is now known as martinst
=== markthomas is now known as markthomas|away
=== wedgwood1 is now known as wedgwood
=== kickinz1 is now known as kickinz1|afk
mamuskusHi20:31
pmatulishi20:33
=== thumper is now known as thumper-afk
=== cipi is now known as CiPi
=== Lcawte|Away is now known as Lcawte
=== bilde2910 is now known as bilde2910|away
=== markthomas|away is now known as markthomas
=== thumper-afk is now known as thumper
thunder1hello22:14
tewardhello22:17
thunder1teward: what is the expected operation of the known_hosts file?22:18
thunder1is it similar to a hash file where it gives the url then the hash? I see no url in the file.22:19
tewardthunder1: you mean known_hosts inside the .ssh folder in a home dir?22:20
tewardthunder1: the answer on http://security.stackexchange.com/questions/20706/what-is-the-difference-between-authorized-key-and-known-host-file-for-ssh gives a nice description of what known_hosts does (see Server Authentication section of the answer)22:21
tewardthe accepted answer there*22:21
tewardsomewhat in depth, but a decent one22:22
thunder1teward: known_hosts inside the .ssh folder in a home dir22:22
tewardthunder1: that's explained in the link i just posted22:23
tewardthe accepted answer on there, anyways22:23
thunder1Not big on stackexchange22:23
tewardthunder1: well then you're out of luck - those explanations are accurate - to summarize, known_hosts stores the public key fingerprints of the remote SSH servers22:24
tewardideally you'd check the one you see against known ones, but...22:24
tewardif you don't know, then if the remote fingerprint changes at any time it'll deny the connection and throw a huge warning22:24
tewardabout checking the remote SSH host legitimacy22:24
thunder1teward: yes I get the usage of it but when looking at it why doesn't it have a hostname/url in the file?22:26
squisherthunder1, it is hashed for privacy reasons22:27
teward^ that22:27
thunder1squisher: that sounds like an addition the usual ssh shows the host22:27
thunder1squisher: it is an answer to what I've asked, very well squisher22:28
thunder1Is ubuntu14 backwards compatible?22:29
Prezidentyes but not recommend it22:29
PrezidentSo i would say no22:29
PrezidentWhy btw?22:30
thunder1Is there any plans on using 14 as the distribution server?22:30
PrezidentRather play with kernel then if something is missed22:30
thunder1If the distribution server runs say ubuntu 6, 9 or 10 why is 14 reccomended for others?22:30
thunder1Something looks fishy there.22:31
thunder1If it were really so important for security the distribution server could also need that security.22:33
thunder1milsim22:34
thunder1put your hand on the glass22:34
thunder1What is bug #1?22:35
thunder1Feel free to give hypothetical answers for that.22:37
thunder1The recommending 14 question.22:37
thunder1Simulate a best case for that recommending 14.22:38
thunder1Prepend it with a disclaimer so you don't have to accept fault.22:40
thunder1go on22:41
thunder1You don't have to ascribe to being one with the author of that nonsense.22:43
thunder1If 14 is really so much better I want to see the distribution server running 14.22:47
thunder1ok?22:48
=== Guest22529 is now known as rcj
thunder1How does that work saying don't use 12 it is insecure unsupported , download 14 from ubuntu 8.22:49
=== rcj is now known as Guest62484
Valduarehey guys… got something odd here.. one of my servers wont update   keeps trying to use ipv6 addresses it seems...23:33
rbasakIs your server using ipv6 addresses that actually don't route?23:34
=== Lcawte is now known as Lcawte|Away

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!