/srv/irclogs.ubuntu.com/2015/04/02/#ubuntu-server.txt

keithzgGuess whatever the default setup is in ubuntu-server doesn't cut it these days? (This is a 14.04 server). Installed ntpd, now offside is down to about 4 thousandths of a second.00:24
keithzgAlthough my guess would be that ntpd still ships as default and I just did something weird when I installed and set up this server last year, heh.00:25
sarnoldI think ntpdate ships as default..00:28
keithzgsarnold: Yeah, ntpdate was already installed, but doesn't that have to be run manually, or at least manually added to some cron job?00:29
sarnoldthere's a discussion here https://lists.ubuntu.com/archives/ubuntu-devel/2014-October/038512.html00:29
sarnoldkeithzg: yeah. if ntpdate hand't been run recently that could explain the three minutess..00:29
keithzgsarnold: Ah, makes sense then, ntpdate probably only runs on reconnection to networks and such, eh? The half-year uptime of this server since last time I admitted I should probably apply kernel updates is plenty of time for drift ;)00:32
sarnoldkeithzg: hehe yeah, three minutes of drift in half a year makes sense..00:33
=== markthomas is now known as markthomas|away
=== markthomas|away is now known as markthomas
=== markthomas is now known as markthomas|away
Patrickdksarnold, here is something you might like01:39
Patrickdkhttp://google/01:39
sarnoldPatrickdk: you know I tried that earlier today.. and just got my localhost http server01:40
sarnold$ host google.01:40
sarnoldgoogle has address 127.0.53.5301:40
sarnoldgoogle mail is handled by 10 your-dns-needs-immediate-attention.google.01:40
Patrickdkoh ya01:40
sarnoldwhat on earth gave me -that- response? :)01:40
Patrickdkstupid wildcard01:40
* Patrickdk isn't thinking clearly01:40
Patrickdksuprised they don't have a webpage on that though01:42
sarnoldit feels like they should01:43
sarnoldwhy buy a tld for $180k USD and then only use it for a gimmick like com.google? :)01:43
keithzgWell, $180k is chump change for Google, and it gives them the option in the future if they ever decide to use it.02:19
keithzgRight now people (somewhat rightly) are distrustful of these new domains, so they probably figure it isn't worth comitting to what they'll do with it yet.02:20
Patrickdkheh? google has already ate like 30 tld's02:27
Patrickdkmost of them make sense02:27
Patrickdkabout 10 of them are just pure greedy02:27
Patrickdkads, dad, ...02:27
Patrickdkand the whole .dev and some of the other tlds that are for internal usage only02:28
lordievaderGood morning.05:54
=== kickinz1|afk is now known as kickinz1
mdevwhoever does the apache distro for ubuntu, how can I get them to disable apache indexing by default?07:02
mdevis really a big security issue and no reason it should be enabled, yet it always is on fresh ubuntu server installs07:02
mdevit lists files/directories in your htdocs folder /var/www/html in the end users browser if no index.php or index.html exists07:02
OpenTokixmdev: The default only export /var/www07:03
mdevprobably can list the same even if they do exist07:03
OpenTokixmdev: how is that a security issue?07:03
mdevbecause end users don't need to see any of those files?07:03
OpenTokixmdev: My question still stands, what are the security implications?07:03
mdevif you're running a website you don't need all your web files listed07:03
mdevwhat the security issues? many...users could potentially access files they should be because they can see a full list of everything07:04
mdevif you stored certain information in a hidden_log_3939495.txt for instance07:04
OpenTokixmdev: They can still access all the files, regardless if they are indexed or not07:04
OpenTokixWhat you are talking about is security by obscurity07:05
mdevI had one client who stored transaction info in his web directory, using long obscure names that one couldn't guess but wouldn't need to if they were listed by freaking apache...07:05
OpenTokixAnd that is not security07:05
mdevand security via obscurity is security, regardless of what people say07:05
OpenTokixmdev: Your client are doing dumb stuff, - And that isnt apache default configs fault07:05
OpenTokixno, its not07:05
mdevOpen every ubuntu vps install i've seen has apache with indexing enabled by default07:06
mdevapt-get install apache, or it installed via php07:06
mdevso clearly it's whoevers running that repo07:06
mdevobscurity is security, 1000%07:06
OpenTokixno07:06
mdevif you go bury a treasure chest full of gold in your backyard, is it secure from theives? absolutely07:07
mdevif they don't know it's there...07:07
OpenTokix...07:07
mdevbut if you broadcast and tell everyone you buried it there, similar to apaches indexing07:08
mdevthen no it's not secure...07:08
OpenTokixmdev: you are wrong in so many ways, I dont have enough button presses before I have to switch keybords of mechanical fatigue. - So have fun with your endevors07:09
mdeveven if you truely feel that way, which I doubt07:10
mdevthere's no huge reason to have indexing enabled by default anyway07:11
mdevif users want it on they can enable it, but the average user, having it on, is security risk07:11
mdevso whoever maintains the apache repo for ubuntu please consider disabling it07:12
mdevsome other distros don't have it enabled07:13
rbasakmdev: I see no case here to change the default, but will follow Debian's default. If you want to file a bug with them to change the default, go ahead.07:43
lordievadermdev: I suppose you should file a bug, if you really feel strongly about it.07:43
rbasakmdev: I see no point though. Files placed in a server configured for static serving of files are expected to be public. If you don't want to share the files, don't put them in /var/www.07:43
rbasakOTOH, if you do put files in /var/www, the implication is that you do want to make them public. Why else would you put them there?07:44
rbasakNot providing automatic indexes don't help whether the files are accessible or not anyway.07:44
rbasakOTOH, I find automatic indexing really useful. I can use a public area to dump files that others can discover and access.07:46
skyliteim using dhclient eth2 command to get an IP from my dhcp server. Server gets the request and sends back a dhcp offer but my client wont accept it and keeps asking for an IP from the dhcp server  (isc-dhcp) any ideas? I dont see any other entries in the dhcp log07:54
skyliteok it seems its a network issue08:00
=== ming is now known as Guest92609
=== Lcawte|Away is now known as Lcawte
arcskyhey, my syslog/messages are empty files, where is my logs?09:20
replmanHi! I have a svn repository on my ubuntu 12.04 server and access it by https through apache. I setup a location in http conf with authtype basic and require valid-user. Everything works so far. Now i want to give access to a specific repository path to another user. Adding this user to my AuthUserFile gives him full access. What's the best way to restrict the access?09:22
=== kickinz1 is now known as kickinz1|afk
=== kickinz1|afk is now known as kickinz1
replmanOk, looks like i have to use AuthzSVNAccessFile. My location in http conf is <Location /svn/repo>, int the acl file i have a [Test:/customer/acme/project1/trunk]. If i try to access the repo through https://testuser@myserver.com/svn/repo/Test i get a forbidden error. What is the correct url?09:49
=== zz_DenBeiren is now known as DenBeiren
=== zz_DenBeiren is now known as DenBeiren
=== xachet_ is now known as xachet
=== ashleyd is now known as ashd
rbasakniedbalski: looking at https://code.launchpad.net/~niedbalski/ubuntu/vivid/rpcbind/fix-lp-1430181/+merge/253260 now15:11
strikovrbasak: hey, i have a question regarding mysql apport bug15:18
rbasakstrikov: sure15:18
cohonenyo guyas15:20
strikovrbasak: essence of the issue is that mysql doesn't generate crash reports by default15:20
strikovrbasak: it handles all the crashes internally w/o letting kernel/apport know about them15:20
strikovrbasak: this behavior can be changed by my.cnf though15:20
cohonenso removing resolvconf (which pissed me off) will result in removing ubuntu-minimal15:21
strikovrbasak: do we want generating crash reports enabled by default?15:21
cohonenis ubuntu-minimal a pseudo package or will this break my system ?15:21
rbasakstrikov: I think we're talking about two types of "crashes". My issue was with postinst failures, which I guess isn't related to changes in my.cnf?15:21
rbasakstrikov: so "ubuntu-bug /usr/sbin/mysqld" should use the apport hook, for example.15:22
rbasakcohonen: to stop using resolvconf, I think you can just replace /etc/resolv.conf with a regular file and it'll leave you alone.15:22
strikovrbasak: okay, i'll check this path as well; i'm currently testing with sigsegv15:22
cohonenrbasak: im pretty sure it wont15:23
cohonenalso editing interface has NO  EFFECT!@!!!!15:23
cohonenwhich 99.8888% of ubuntu forums suggests15:23
rbasakcohonen: https://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/15:23
cohonenrbasak: let me verify15:23
cohonenrbasak: yes, that one will work, EXCEPT, it still appends the ISP DNS servers15:24
cohonenI dont want ANY dns servers other than the ones i choose15:24
cohonennot ISPs15:25
cohonennot googles15:25
cohonenjust the ones i pick15:25
cohonenand resolvconf doesnt seem to let you do anything other than prepend or append to crap i get from whatever dhcp server answers15:25
cohoneni know i can probably edit some dhclient thing15:26
cohonenbut why do i have to,, i just want resolvconf to go the way of the dodo15:26
rbasakcohonen: I'd say that's a matter of configuration of your DHCP client, not resolvconf. Of course disabling resolvconf will disable it too, but that doesn't feel like the correct place to configure what you want to me.15:26
rbasakI'm quite happy with resolvconf.15:26
cohonen/etc/resolv.conf IS THE PLACE15:26
rbasak/etc/resolv.conf is fine for static DNS configuration.15:27
cohoneni just get tired of crap trying to the me where to get my IPs from15:27
rbasakIt doesn't work well for dynamic environments - such as a laptop.15:27
cohonenrbasak: which is what i want15:27
rbasakcohonen: and you can have what you want, but you're expected to know how to configure the bits you need.15:27
cohonenrbasak: i does if you know good dns servers and youre not in a  stazi country or network15:27
cohonenrbasak: so,, back to my original question15:28
cohonenif i remove resolvconf, dpkg tells me, ill remove that AND ubuntu-minimal ALSO15:28
rbasakubuntu-minimal is a metapackage.15:28
cohonenso, doesnt do anything ?15:28
rbasakYou might break release upgrades, but no your system shouldn't really break apart from that.15:28
cohonenokey,,, hmmm15:29
rbasakHowever, understand that you're going "off piste", so any future bugs or issues caused by doing this are down to you.15:29
cohonenbtw,, its on ubuntu server, on my toy servers15:29
cohonenwhy is it wierd that i want a 100% self managed dns there ?15:30
cohoneneven if i use dns (my isp forces me to)15:30
cohonendns / dhcp15:30
rbasakIt's odd that you want DHCP but not DNS from DHCP.15:32
rbasakIf you just wanted a static IP and static DNS, you can do that with dns-nameservers in /etc/network/interfaces and everything would lbe fine.15:32
cohonenwell, i admit its not the most common15:32
rbasakSo it seems to me that what you really want is to configure dhclient to not take DNS.15:32
cohonenno no i tried messing with /etc/network/interfaces15:33
cohonenhmm15:33
cohoneni think i have to look into dhclient15:33
cohonenrbasak: yes it seems so15:33
cohonensigh15:33
cohonenrbasak: reason is that my IP is external but not 100% static15:33
rbasakGet a better ISP :)15:34
cohonenbetter would mean digging a fiber myself15:34
cohonenits pretty good as it is, just has a few annoyances15:34
rbasakniedbalski: I'm not sure that bug 1430181 is appropriate to fix in an SRU or during feature freeze in Vivid (without an exception).15:36
rbasakniedbalski: seems to me that TCP binding is a new feature because the switch is documented to support UDP only.15:36
rbasakniedbalski: the patch looks pretty extensive too.15:37
cohonenrbasak: okey i guess the best solution is to edit the dhclient, that seems to work, very tempted to set up a xattr to lock the file15:40
cohonenrbasak: yea , the solution is to NOT request dns-nameserver domain search etc via dhclient15:43
cohonenthanks15:44
cohonenlater guys15:44
rbasakcohonen: no problem15:44
rbasakcohonen: thinking about it...15:44
cohonen???15:44
rbasakcohonen: I think that with resolvconf disabled, dhclient is probably writing to your /etc/resolv.conf.15:44
cohonenit makes sense sorta,.15:44
rbasakI could be wrong though.15:44
rbasakSo removing resolvconf might not have helped you here anyway.15:44
cohonenthat what it seems like15:44
rbasakSo maybe rage a little less at resolvconf? :)15:45
cohoneni kindof want to reinstall resolvconf just to be close to a normal ubuntu install15:45
jrwrencohonen: I think resolvconf may help you more than hurt you. It makes it easy to override dhcp's dns settings.15:46
cohonenjrwren: well , i see that it has options to all resolvers for interfaces15:47
cohonenit just another complexity i dont like15:47
jrwrencohonen: I used to agree, then I learned it, saw the problems it solves and embraced it.15:48
cohonenjrwren: yea , i had the same experience with firewalld on rhel/fedora clients15:49
jrwrencohonen: to override nameservers for dhcp on eth0, run: echo nameserver 8.8.8.8 | sudo resolvconf -a eth015:49
cohonenjrwren: anyway, i reinstalled minimal and resolvconf15:50
cohonenjrwren: and that will be the only dns server then15:50
jrwrencohonen: you can later remove with sudo resolvconf -d eth015:50
jrwrencohonen: I do not think it will be the only, but it will be first, so unless it is down it will be only one used.15:50
cohonenjrwren: and that setting is persistent across boots ?15:50
cohonenjrwren: hmm okey, thats like the head file15:51
jrwrencohonen: unsure, I tend to run ephemeral server instance, so I don't reboot15:51
cohoneni dont reboot much either, but i want to be able to trust as much state as possible15:51
cohonenjrwren: i still belive that in my particular usecase the answer was to kick dhclient in the face and tell him NO DNS !15:52
jrwrencohonen: why is that?15:53
jrwrencohonen: my isp provides poor dhs too :)15:53
cohonenmine too15:53
cohonenand im not gonna use googles even if it gave free BJs15:54
jrwrenwas just an example I used :)15:54
cohonenso i have a list of freedom respecting DNS servers15:54
jrwrenwhat are these freedom dns?15:54
cohonenjrwren: yea, they were clever , getting 8.8.8.815:55
cohonenjrwren: well 2 are small providers15:55
cohonen2 are opendns which are obviously not so cool15:56
cohonenbut i count on that losing the first 2 is rare15:56
=== markthomas|away is now known as markthomas
strikovsmoser: i just found out how to make canonistack faster; due to some reason m1.large gets much faster i/o than m1.small which significantly increases performance; that looks like something wrong but it works :)16:10
=== markthomas is now known as markthomas|away
smoserstnice.16:14
=== markthomas|away is now known as markthomas
strikovrbasak: this looks like a correct crash report, right? http://paste.ubuntu.com/10724987/16:28
rbasakstrikov: yes that looks good16:29
strikovrbasak: that's what i get with the hook copied to the right place; basically: http://pastebin.ubuntu.com/10724996/16:29
strikovrbasak: we had this file in .files before but switched mysql-server from dh_movefiles to dh_install which required .install16:30
rbasakstrikov: does "ubuntu-bug /usr/sbin/mysqld" generate a report? When I tried it, it hung forever.16:30
strikovrbasak: yes, in a few moments16:30
rbasakstrikov: OK. It's much simpler than I thought then. Sorry!16:30
strikovrbasak: okay :)16:31
strikovrbasak: you owe mean one really painful bug though16:31
strikov*me16:31
rbasak:)16:32
strikovrbasak: and returning back to sigsegv dumps; is it expected that they are not going through apport?16:33
samba35i am using ubuntu 14.04 with ssh i want to change default ssh port to 5123 but when i change it is not able to change port it always show 22 , i make changes in sshd_configu port 512316:56
bekkssamba35: Chaneg the port and restart the sshd daemon.17:14
strikovrbasak: https://bugs.launchpad.net/ubuntu/+source/init-system-helpers/+bug/143979317:35
strikovrbasak: not sure if it worth fixing but want to let ubuntu-devel guys know about that corner case17:35
samba35bekks: thanks i was makeing some mistake with service restart i was using /etc/init.d / method to restart the service but now with service ssh restart it work17:38
samba35thanks17:38
bekkssamba35: For sshd, that actually doesnt matter :)17:41
samba35you mean for starting service ?17:42
bekkssamba35: Yes.17:44
samba35but unfortunately it did not work for me17:44
samba35but service xx restart work17:45
=== kickinz1 is now known as kickinz1|afk
=== Lcawte is now known as Lcawte|Away
=== markthomas is now known as markthomas|away
=== lazyPower is now known as lp|away
wiredfoolI've got an older server running trusty w/ a 4 disk raid 10 setup, initially setup on 500gb disks but now on 1tb due to several single drive failures + rebuilds. I'd like to convert it to a 2 drive raid 1, using the currently unpartitioned space, and free up two disk trays for ssds.20:40
wiredfoolcurrent mirror is /dev/md1.  I'm thinking of making a new degraded raid 1 mirror, /dev/md2, with /dev/md1 as it's only member. Then reboot for that to be /. then I'll tail out one of the drives, repartition it, and add it to /dev/md2 and let it rebuild. Then when that's good, I'll fail /dev/md1 out of the array, fail one more drive out of it, and add it to /dev/md2, and let it rebuild again.20:42
=== markthomas|away is now known as markthomas
wiredfoolthen I should have a working raid1 set, and a pair of drives that still have the same data (if I'm lucky and fail the correct drive on the second try).20:44
wiredfoolIs this a workable plan, or is it totally daft?20:44
parallel21I have a directory that has a size of 0 and I am unable to delete it20:49
parallel21Unable to cd into it either20:49
JanCparallel21: permissions?20:54
JanCwiredfool: you'd have to pastebin more specific info, but failing disks in a RAID system to re-use them for something else is certainly possible20:57
parallel21JanC: Doing this as root20:59
tewardis there any harm on my local computer to edit the ownership of files in /etc/bind for my bind server for my user to own it, and bind group to have access as well?21:00
sarnoldteward: if you don't mind your web browser being able to edit those files.. :)21:00
JanCparallel21: did you run fsck on the file system?21:01
tewardsarnold: given that this system is encrypted out the wazoo and the password is complex enough that I have to plug in a yubikey just to actually enter the password when prompted... :P21:01
tewardsarnold: it's a local bind9 instance for local IPs only on the system (for the VMs on the host only subnets xD)21:01
sarnoldteward: hehe, I figured you weren't actually going to run firefox on your dns systems :)21:02
tewardsarnold: indeed.21:02
sarnoldteward: but I saw an opportunity for a joke and had to take it :)21:02
tewardsarnold: THOSE are on separate servers xD21:02
tewardsarnold: indeed.21:02
tewardsarnold: i meant from a runtime perspective if things'll break - setgid on the directories would enforce group ownership xD21:02
wiredfoolJanC: is there a way to tell which disks are paired in a mdadm raid10?21:02
sarnoldteward: should be fine, just so long as bind can read them21:03
JanCwiredfool: I never used mdadm raid10, so don't know for sure, but I assume there is21:04
tewardsarnold: indeed, g+r is still in place, and the directory is set o+s g+s, with MYUSER:bind as the ownership21:04
JanCI've done it with a raid1 though21:05
tewards/o+s/u+s/21:05
wiredfoolI could add in a second partition on one drive that I'm going to keep, prior to failing out the first drive, and then watch the iostat to see what's reading and what's writing.21:08
JanCwiredfool: I'm pretty sure mdadm can tell you what devices are used for what purpose?21:10
wiredfoolJanC: not in a manner that's obvious -- http://pastebin.com/6hH14K3a21:39
=== robher_ is now known as robher
JanCwiredfool: the "layout" parameter should be useful21:44
=== mattgrif_ is now known as mattgriffin
JanCwiredfool: https://en.wikipedia.org/wiki/Linux_MD_RAID_10#Linux_MD_RAID_1021:55
JanClooks like /dev/sda3 & /dev/sdb3 are part of 1 mirror, and /dev/sdc3 & /dev/sdd3 of the other21:58
JanCso you can fail one device in each mirror22:00
wiredfoolok, if running code matches wikipedia22:08

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!