[00:24] <keithzg> Guess whatever the default setup is in ubuntu-server doesn't cut it these days? (This is a 14.04 server). Installed ntpd, now offside is down to about 4 thousandths of a second.
[00:25] <keithzg> Although my guess would be that ntpd still ships as default and I just did something weird when I installed and set up this server last year, heh.
[00:28] <sarnold> I think ntpdate ships as default..
[00:29] <keithzg> sarnold: Yeah, ntpdate was already installed, but doesn't that have to be run manually, or at least manually added to some cron job?
[00:29] <sarnold> there's a discussion here https://lists.ubuntu.com/archives/ubuntu-devel/2014-October/038512.html
[00:29] <sarnold> keithzg: yeah. if ntpdate hand't been run recently that could explain the three minutess..
[00:32] <keithzg> sarnold: Ah, makes sense then, ntpdate probably only runs on reconnection to networks and such, eh? The half-year uptime of this server since last time I admitted I should probably apply kernel updates is plenty of time for drift ;)
[00:33] <sarnold> keithzg: hehe yeah, three minutes of drift in half a year makes sense..
=== markthomas is now known as markthomas|away
=== markthomas|away is now known as markthomas
=== markthomas is now known as markthomas|away
[01:39] <Patrickdk> sarnold, here is something you might like
[01:39] <Patrickdk> http://google/
[01:40] <sarnold> Patrickdk: you know I tried that earlier today.. and just got my localhost http server
[01:40] <sarnold> $ host google.
[01:40] <sarnold> google has address 127.0.53.53
[01:40] <sarnold> google mail is handled by 10 your-dns-needs-immediate-attention.google.
[01:40] <Patrickdk> oh ya
[01:40] <sarnold> what on earth gave me -that- response? :)
[01:40] <Patrickdk> stupid wildcard
[01:40]  * Patrickdk isn't thinking clearly
[01:42] <Patrickdk> suprised they don't have a webpage on that though
[01:43] <sarnold> it feels like they should
[01:43] <sarnold> why buy a tld for $180k USD and then only use it for a gimmick like com.google? :)
[02:19] <keithzg> Well, $180k is chump change for Google, and it gives them the option in the future if they ever decide to use it.
[02:20] <keithzg> Right now people (somewhat rightly) are distrustful of these new domains, so they probably figure it isn't worth comitting to what they'll do with it yet.
[02:27] <Patrickdk> heh? google has already ate like 30 tld's
[02:27] <Patrickdk> most of them make sense
[02:27] <Patrickdk> about 10 of them are just pure greedy
[02:27] <Patrickdk> ads, dad, ...
[02:28] <Patrickdk> and the whole .dev and some of the other tlds that are for internal usage only
[05:54] <lordievader> Good morning.
=== kickinz1|afk is now known as kickinz1
[07:02] <mdev> whoever does the apache distro for ubuntu, how can I get them to disable apache indexing by default?
[07:02] <mdev> is really a big security issue and no reason it should be enabled, yet it always is on fresh ubuntu server installs
[07:02] <mdev> it lists files/directories in your htdocs folder /var/www/html in the end users browser if no index.php or index.html exists
[07:03] <OpenTokix> mdev: The default only export /var/www
[07:03] <mdev> probably can list the same even if they do exist
[07:03] <OpenTokix> mdev: how is that a security issue?
[07:03] <mdev> because end users don't need to see any of those files?
[07:03] <OpenTokix> mdev: My question still stands, what are the security implications?
[07:03] <mdev> if you're running a website you don't need all your web files listed
[07:04] <mdev> what the security issues? many...users could potentially access files they should be because they can see a full list of everything
[07:04] <mdev> if you stored certain information in a hidden_log_3939495.txt for instance
[07:04] <OpenTokix> mdev: They can still access all the files, regardless if they are indexed or not
[07:05] <OpenTokix> What you are talking about is security by obscurity
[07:05] <mdev> I had one client who stored transaction info in his web directory, using long obscure names that one couldn't guess but wouldn't need to if they were listed by freaking apache...
[07:05] <OpenTokix> And that is not security
[07:05] <mdev> and security via obscurity is security, regardless of what people say
[07:05] <OpenTokix> mdev: Your client are doing dumb stuff, - And that isnt apache default configs fault
[07:05] <OpenTokix> no, its not
[07:06] <mdev> Open every ubuntu vps install i've seen has apache with indexing enabled by default
[07:06] <mdev> apt-get install apache, or it installed via php
[07:06] <mdev> so clearly it's whoevers running that repo
[07:06] <mdev> obscurity is security, 1000%
[07:06] <OpenTokix> no
[07:07] <mdev> if you go bury a treasure chest full of gold in your backyard, is it secure from theives? absolutely
[07:07] <mdev> if they don't know it's there...
[07:07] <OpenTokix> ...
[07:08] <mdev> but if you broadcast and tell everyone you buried it there, similar to apaches indexing
[07:08] <mdev> then no it's not secure...
[07:09] <OpenTokix> mdev: you are wrong in so many ways, I dont have enough button presses before I have to switch keybords of mechanical fatigue. - So have fun with your endevors
[07:10] <mdev> even if you truely feel that way, which I doubt
[07:11] <mdev> there's no huge reason to have indexing enabled by default anyway
[07:11] <mdev> if users want it on they can enable it, but the average user, having it on, is security risk
[07:12] <mdev> so whoever maintains the apache repo for ubuntu please consider disabling it
[07:13] <mdev> some other distros don't have it enabled
[07:43] <rbasak> mdev: I see no case here to change the default, but will follow Debian's default. If you want to file a bug with them to change the default, go ahead.
[07:43] <lordievader> mdev: I suppose you should file a bug, if you really feel strongly about it.
[07:43] <rbasak> mdev: I see no point though. Files placed in a server configured for static serving of files are expected to be public. If you don't want to share the files, don't put them in /var/www.
[07:44] <rbasak> OTOH, if you do put files in /var/www, the implication is that you do want to make them public. Why else would you put them there?
[07:44] <rbasak> Not providing automatic indexes don't help whether the files are accessible or not anyway.
[07:46] <rbasak> OTOH, I find automatic indexing really useful. I can use a public area to dump files that others can discover and access.
[07:54] <skylite> im using dhclient eth2 command to get an IP from my dhcp server. Server gets the request and sends back a dhcp offer but my client wont accept it and keeps asking for an IP from the dhcp server  (isc-dhcp) any ideas? I dont see any other entries in the dhcp log
[08:00] <skylite> ok it seems its a network issue
=== ming is now known as Guest92609
=== Lcawte|Away is now known as Lcawte
[09:20] <arcsky> hey, my syslog/messages are empty files, where is my logs?
[09:22] <replman> Hi! I have a svn repository on my ubuntu 12.04 server and access it by https through apache. I setup a location in http conf with authtype basic and require valid-user. Everything works so far. Now i want to give access to a specific repository path to another user. Adding this user to my AuthUserFile gives him full access. What's the best way to restrict the access?
=== kickinz1 is now known as kickinz1|afk
=== kickinz1|afk is now known as kickinz1
[09:49] <replman> Ok, looks like i have to use AuthzSVNAccessFile. My location in http conf is <Location /svn/repo>, int the acl file i have a [Test:/customer/acme/project1/trunk]. If i try to access the repo through https://testuser@myserver.com/svn/repo/Test i get a forbidden error. What is the correct url?
=== zz_DenBeiren is now known as DenBeiren
=== zz_DenBeiren is now known as DenBeiren
=== xachet_ is now known as xachet
=== ashleyd is now known as ashd
[15:11] <rbasak> niedbalski: looking at https://code.launchpad.net/~niedbalski/ubuntu/vivid/rpcbind/fix-lp-1430181/+merge/253260 now
[15:18] <strikov> rbasak: hey, i have a question regarding mysql apport bug
[15:18] <rbasak> strikov: sure
[15:20] <cohonen> yo guyas
[15:20] <strikov> rbasak: essence of the issue is that mysql doesn't generate crash reports by default
[15:20] <strikov> rbasak: it handles all the crashes internally w/o letting kernel/apport know about them
[15:20] <strikov> rbasak: this behavior can be changed by my.cnf though
[15:21] <cohonen> so removing resolvconf (which pissed me off) will result in removing ubuntu-minimal
[15:21] <strikov> rbasak: do we want generating crash reports enabled by default?
[15:21] <cohonen> is ubuntu-minimal a pseudo package or will this break my system ?
[15:21] <rbasak> strikov: I think we're talking about two types of "crashes". My issue was with postinst failures, which I guess isn't related to changes in my.cnf?
[15:22] <rbasak> strikov: so "ubuntu-bug /usr/sbin/mysqld" should use the apport hook, for example.
[15:22] <rbasak> cohonen: to stop using resolvconf, I think you can just replace /etc/resolv.conf with a regular file and it'll leave you alone.
[15:22] <strikov> rbasak: okay, i'll check this path as well; i'm currently testing with sigsegv
[15:23] <cohonen> rbasak: im pretty sure it wont
[15:23] <cohonen> also editing interface has NO  EFFECT!@!!!!
[15:23] <cohonen> which 99.8888% of ubuntu forums suggests
[15:23] <rbasak> cohonen: https://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/
[15:23] <cohonen> rbasak: let me verify
[15:24] <cohonen> rbasak: yes, that one will work, EXCEPT, it still appends the ISP DNS servers
[15:24] <cohonen> I dont want ANY dns servers other than the ones i choose
[15:25] <cohonen> not ISPs
[15:25] <cohonen> not googles
[15:25] <cohonen> just the ones i pick
[15:25] <cohonen> and resolvconf doesnt seem to let you do anything other than prepend or append to crap i get from whatever dhcp server answers
[15:26] <cohonen> i know i can probably edit some dhclient thing
[15:26] <cohonen> but why do i have to,, i just want resolvconf to go the way of the dodo
[15:26] <rbasak> cohonen: I'd say that's a matter of configuration of your DHCP client, not resolvconf. Of course disabling resolvconf will disable it too, but that doesn't feel like the correct place to configure what you want to me.
[15:26] <rbasak> I'm quite happy with resolvconf.
[15:26] <cohonen> /etc/resolv.conf IS THE PLACE
[15:27] <rbasak> /etc/resolv.conf is fine for static DNS configuration.
[15:27] <cohonen> i just get tired of crap trying to the me where to get my IPs from
[15:27] <rbasak> It doesn't work well for dynamic environments - such as a laptop.
[15:27] <cohonen> rbasak: which is what i want
[15:27] <rbasak> cohonen: and you can have what you want, but you're expected to know how to configure the bits you need.
[15:27] <cohonen> rbasak: i does if you know good dns servers and youre not in a  stazi country or network
[15:28] <cohonen> rbasak: so,, back to my original question
[15:28] <cohonen> if i remove resolvconf, dpkg tells me, ill remove that AND ubuntu-minimal ALSO
[15:28] <rbasak> ubuntu-minimal is a metapackage.
[15:28] <cohonen> so, doesnt do anything ?
[15:28] <rbasak> You might break release upgrades, but no your system shouldn't really break apart from that.
[15:29] <cohonen> okey,,, hmmm
[15:29] <rbasak> However, understand that you're going "off piste", so any future bugs or issues caused by doing this are down to you.
[15:29] <cohonen> btw,, its on ubuntu server, on my toy servers
[15:30] <cohonen> why is it wierd that i want a 100% self managed dns there ?
[15:30] <cohonen> even if i use dns (my isp forces me to)
[15:30] <cohonen> dns / dhcp
[15:32] <rbasak> It's odd that you want DHCP but not DNS from DHCP.
[15:32] <rbasak> If you just wanted a static IP and static DNS, you can do that with dns-nameservers in /etc/network/interfaces and everything would lbe fine.
[15:32] <cohonen> well, i admit its not the most common
[15:32] <rbasak> So it seems to me that what you really want is to configure dhclient to not take DNS.
[15:33] <cohonen> no no i tried messing with /etc/network/interfaces
[15:33] <cohonen> hmm
[15:33] <cohonen> i think i have to look into dhclient
[15:33] <cohonen> rbasak: yes it seems so
[15:33] <cohonen> sigh
[15:33] <cohonen> rbasak: reason is that my IP is external but not 100% static
[15:34] <rbasak> Get a better ISP :)
[15:34] <cohonen> better would mean digging a fiber myself
[15:34] <cohonen> its pretty good as it is, just has a few annoyances
[15:36] <rbasak> niedbalski: I'm not sure that bug 1430181 is appropriate to fix in an SRU or during feature freeze in Vivid (without an exception).
[15:36] <rbasak> niedbalski: seems to me that TCP binding is a new feature because the switch is documented to support UDP only.
[15:37] <rbasak> niedbalski: the patch looks pretty extensive too.
[15:40] <cohonen> rbasak: okey i guess the best solution is to edit the dhclient, that seems to work, very tempted to set up a xattr to lock the file
[15:43] <cohonen> rbasak: yea , the solution is to NOT request dns-nameserver domain search etc via dhclient
[15:44] <cohonen> thanks
[15:44] <cohonen> later guys
[15:44] <rbasak> cohonen: no problem
[15:44] <rbasak> cohonen: thinking about it...
[15:44] <cohonen> ???
[15:44] <rbasak> cohonen: I think that with resolvconf disabled, dhclient is probably writing to your /etc/resolv.conf.
[15:44] <cohonen> it makes sense sorta,.
[15:44] <rbasak> I could be wrong though.
[15:44] <rbasak> So removing resolvconf might not have helped you here anyway.
[15:44] <cohonen> that what it seems like
[15:45] <rbasak> So maybe rage a little less at resolvconf? :)
[15:45] <cohonen> i kindof want to reinstall resolvconf just to be close to a normal ubuntu install
[15:46] <jrwren> cohonen: I think resolvconf may help you more than hurt you. It makes it easy to override dhcp's dns settings.
[15:47] <cohonen> jrwren: well , i see that it has options to all resolvers for interfaces
[15:47] <cohonen> it just another complexity i dont like
[15:48] <jrwren> cohonen: I used to agree, then I learned it, saw the problems it solves and embraced it.
[15:49] <cohonen> jrwren: yea , i had the same experience with firewalld on rhel/fedora clients
[15:49] <jrwren> cohonen: to override nameservers for dhcp on eth0, run: echo nameserver 8.8.8.8 | sudo resolvconf -a eth0
[15:50] <cohonen> jrwren: anyway, i reinstalled minimal and resolvconf
[15:50] <cohonen> jrwren: and that will be the only dns server then
[15:50] <jrwren> cohonen: you can later remove with sudo resolvconf -d eth0
[15:50] <jrwren> cohonen: I do not think it will be the only, but it will be first, so unless it is down it will be only one used.
[15:50] <cohonen> jrwren: and that setting is persistent across boots ?
[15:51] <cohonen> jrwren: hmm okey, thats like the head file
[15:51] <jrwren> cohonen: unsure, I tend to run ephemeral server instance, so I don't reboot
[15:51] <cohonen> i dont reboot much either, but i want to be able to trust as much state as possible
[15:52] <cohonen> jrwren: i still belive that in my particular usecase the answer was to kick dhclient in the face and tell him NO DNS !
[15:53] <jrwren> cohonen: why is that?
[15:53] <jrwren> cohonen: my isp provides poor dhs too :)
[15:53] <cohonen> mine too
[15:54] <cohonen> and im not gonna use googles even if it gave free BJs
[15:54] <jrwren> was just an example I used :)
[15:54] <cohonen> so i have a list of freedom respecting DNS servers
[15:54] <jrwren> what are these freedom dns?
[15:55] <cohonen> jrwren: yea, they were clever , getting 8.8.8.8
[15:55] <cohonen> jrwren: well 2 are small providers
[15:56] <cohonen> 2 are opendns which are obviously not so cool
[15:56] <cohonen> but i count on that losing the first 2 is rare
=== markthomas|away is now known as markthomas
[16:10] <strikov> smoser: i just found out how to make canonistack faster; due to some reason m1.large gets much faster i/o than m1.small which significantly increases performance; that looks like something wrong but it works :)
=== markthomas is now known as markthomas|away
[16:14] <smoser> stnice.
=== markthomas|away is now known as markthomas
[16:28] <strikov> rbasak: this looks like a correct crash report, right? http://paste.ubuntu.com/10724987/
[16:29] <rbasak> strikov: yes that looks good
[16:29] <strikov> rbasak: that's what i get with the hook copied to the right place; basically: http://pastebin.ubuntu.com/10724996/
[16:30] <strikov> rbasak: we had this file in .files before but switched mysql-server from dh_movefiles to dh_install which required .install
[16:30] <rbasak> strikov: does "ubuntu-bug /usr/sbin/mysqld" generate a report? When I tried it, it hung forever.
[16:30] <strikov> rbasak: yes, in a few moments
[16:30] <rbasak> strikov: OK. It's much simpler than I thought then. Sorry!
[16:31] <strikov> rbasak: okay :)
[16:31] <strikov> rbasak: you owe mean one really painful bug though
[16:31] <strikov> *me
[16:32] <rbasak> :)
[16:33] <strikov> rbasak: and returning back to sigsegv dumps; is it expected that they are not going through apport?
[16:56] <samba35> i am using ubuntu 14.04 with ssh i want to change default ssh port to 5123 but when i change it is not able to change port it always show 22 , i make changes in sshd_configu port 5123
[17:14] <bekks> samba35: Chaneg the port and restart the sshd daemon.
[17:35] <strikov> rbasak: https://bugs.launchpad.net/ubuntu/+source/init-system-helpers/+bug/1439793
[17:35] <strikov> rbasak: not sure if it worth fixing but want to let ubuntu-devel guys know about that corner case
[17:38] <samba35> bekks: thanks i was makeing some mistake with service restart i was using /etc/init.d / method to restart the service but now with service ssh restart it work
[17:38] <samba35> thanks
[17:41] <bekks> samba35: For sshd, that actually doesnt matter :)
[17:42] <samba35> you mean for starting service ?
[17:44] <bekks> samba35: Yes.
[17:44] <samba35> but unfortunately it did not work for me
[17:45] <samba35> but service xx restart work
=== kickinz1 is now known as kickinz1|afk
=== Lcawte is now known as Lcawte|Away
=== markthomas is now known as markthomas|away
=== lazyPower is now known as lp|away
[20:40] <wiredfool> I've got an older server running trusty w/ a 4 disk raid 10 setup, initially setup on 500gb disks but now on 1tb due to several single drive failures + rebuilds. I'd like to convert it to a 2 drive raid 1, using the currently unpartitioned space, and free up two disk trays for ssds.
[20:42] <wiredfool> current mirror is /dev/md1.  I'm thinking of making a new degraded raid 1 mirror, /dev/md2, with /dev/md1 as it's only member. Then reboot for that to be /. then I'll tail out one of the drives, repartition it, and add it to /dev/md2 and let it rebuild. Then when that's good, I'll fail /dev/md1 out of the array, fail one more drive out of it, and add it to /dev/md2, and let it rebuild again.
=== markthomas|away is now known as markthomas
[20:44] <wiredfool> then I should have a working raid1 set, and a pair of drives that still have the same data (if I'm lucky and fail the correct drive on the second try).
[20:44] <wiredfool> Is this a workable plan, or is it totally daft?
[20:49] <parallel21> I have a directory that has a size of 0 and I am unable to delete it
[20:49] <parallel21> Unable to cd into it either
[20:54] <JanC> parallel21: permissions?
[20:57] <JanC> wiredfool: you'd have to pastebin more specific info, but failing disks in a RAID system to re-use them for something else is certainly possible
[20:59] <parallel21> JanC: Doing this as root
[21:00] <teward> is there any harm on my local computer to edit the ownership of files in /etc/bind for my bind server for my user to own it, and bind group to have access as well?
[21:00] <sarnold> teward: if you don't mind your web browser being able to edit those files.. :)
[21:01] <JanC> parallel21: did you run fsck on the file system?
[21:01] <teward> sarnold: given that this system is encrypted out the wazoo and the password is complex enough that I have to plug in a yubikey just to actually enter the password when prompted... :P
[21:01] <teward> sarnold: it's a local bind9 instance for local IPs only on the system (for the VMs on the host only subnets xD)
[21:02] <sarnold> teward: hehe, I figured you weren't actually going to run firefox on your dns systems :)
[21:02] <teward> sarnold: indeed.
[21:02] <sarnold> teward: but I saw an opportunity for a joke and had to take it :)
[21:02] <teward> sarnold: THOSE are on separate servers xD
[21:02] <teward> sarnold: indeed.
[21:02] <teward> sarnold: i meant from a runtime perspective if things'll break - setgid on the directories would enforce group ownership xD
[21:02] <wiredfool> JanC: is there a way to tell which disks are paired in a mdadm raid10?
[21:03] <sarnold> teward: should be fine, just so long as bind can read them
[21:04] <JanC> wiredfool: I never used mdadm raid10, so don't know for sure, but I assume there is
[21:04] <teward> sarnold: indeed, g+r is still in place, and the directory is set o+s g+s, with MYUSER:bind as the ownership
[21:05] <JanC> I've done it with a raid1 though
[21:05] <teward> s/o+s/u+s/
[21:08] <wiredfool> I could add in a second partition on one drive that I'm going to keep, prior to failing out the first drive, and then watch the iostat to see what's reading and what's writing.
[21:10] <JanC> wiredfool: I'm pretty sure mdadm can tell you what devices are used for what purpose?
[21:39] <wiredfool> JanC: not in a manner that's obvious -- http://pastebin.com/6hH14K3a
=== robher_ is now known as robher
[21:44] <JanC> wiredfool: the "layout" parameter should be useful
=== mattgrif_ is now known as mattgriffin
[21:55] <JanC> wiredfool: https://en.wikipedia.org/wiki/Linux_MD_RAID_10#Linux_MD_RAID_10
[21:58] <JanC> looks like /dev/sda3 & /dev/sdb3 are part of 1 mirror, and /dev/sdc3 & /dev/sdd3 of the other
[22:00] <JanC> so you can fail one device in each mirror
[22:08] <wiredfool> ok, if running code matches wikipedia