[04:01] <Jeeves_Moss> is there a way to logrotate v-hosted apache log files by making a cnf directory so I don't have to edit /etc/logrotate.d/apache every time?
[07:49] <lordievader> Good morning.
[07:58] <arcsky> hey guys where do i find security update settings ?
[07:58] <arcsky> cli
[08:54] <RoyK> arcsky: what security update
[09:38] <arcsky> RoyK: lets say Ubuntu release a security update and i want to know how i can automatic install it
[09:38] <lordievader> Do you mean the security repos?
[09:39] <arcsky> lets say openssl got a zeroday vulnerability i want it to be installed so fast ubuntu release it
[09:41] <lordievader> arcsky: So some kind of auto update script?
[09:41] <lordievader> Write that and throw it in cron?"
[09:41] <mybalzitch> I'd just subscribe to the security mailing list
[09:41] <mybalzitch> and intervene when required
[09:43] <arcsky> ok
[09:43] <arcsky> http://www.howtogeek.com/204796/how-to-enable-automatic-security-updates-on-ubuntu-server/
[09:56] <RoyK> arcsky: I usually enable that during install
[11:31] <arcsky> Anyone have configured openSSH to authenticate to a Windows 2008 NPS?
[12:39] <purefan> Hello. Not sure if this makes sense but I want to trace the order in which programs interact with an HTTP request, for example is IPTables the first point of contact with any network packet?
[12:52] <patdk-wk> no
[12:52] <patdk-wk> iptables never touches packets ever
[12:52] <jelly> purefan: iptables is kernelspace (and is actually netfilter?).  If you're going that low, you should probably mention the ethernet driver first?
[12:53] <patdk-wk> and the whole kernel packet interface, and other things that modify them, like ipsec, bonding, teaming, vlans, ...
[12:53] <jelly> someone actually uses teaming?
[12:54] <purefan> jelly: yes, Netfilter, Im just used to calling it IPTables because of the command. As for the driver I dont know how to easily work with that, I imagine it would require recompiling
[12:54] <purefan> patdk-wk: but iptbables/netfiler can reject packets
[12:54] <patdk-wk> netfilter can, iptables can't
[12:55] <patdk-wk> iptables is just a userland interface to load rules into netfilter
[12:55] <purefan> patdk-wk: ok agreed, but I think you understood what I meant
[12:55] <jelly> not sure if <pedant> or distinguishing from ye olde 2.4 days
[12:56] <patdk-wk> it's changed again in 3.x too :)
[12:56] <patdk-wk> iptables is only kept for compatability
[12:56] <jelly> twice, I think
[12:57] <patdk-wk> ya, I follow his blog, interesting stuff, except he is on a bitcoin kick now
[13:04] <Kgirthofer> can I have a cronjob run at 00 or does it start at 01
[13:06] <TJ-> I think it's 0-59
[13:11] <jelly> Kgirthofer: yes you can
[13:12] <Kgirthofer> cool thanks
[13:32] <RoyK> :(){ :|:& };: # as smilies come
[13:33] <mybalzitch> you and your fork bomb can take a seat over there
[13:34] <RoyK> tieinv: hehe
[13:34] <RoyK> mybalzitch: that was for you, sorry
[13:34] <mybalzitch> :D
[13:46] <jelly> RoyK: that gets you instabanned in some of my channels :-)
[13:47] <jelly> ohno, it's the monkeyface-with-musical-notation forkbomb, kill it with fire
[15:59] <rbasak> jamespage: FYI, I just invalidated bug 1438757 since I'm not aware of any plans to backport IPv6 support in keepalived to Trusty. Just thought I'd mention it in case you know any different.
[16:00] <jamespage> rbasak, I'm happy to add that as a backport for the UCA
[16:00] <jamespage> rbasak, but fine with rejecting it for 14.04 vanilla
[16:01] <rbasak> jamespage: OK. Shall I add a task for cloud-archive?
[16:02] <jamespage> rbasak, nah
[16:02] <jamespage> its baking now
[16:02] <jamespage> it will be for liberty only
[16:02] <jamespage> onwards rather
[16:02] <rbasak> jamespage: ah, so you're doing it already?
[16:02] <jamespage> rbasak, yes - its a point and click process
[16:02] <rbasak> OK. Thanks!
[16:02] <rbasak> I'll update the bug.
[16:03] <jamespage> rbasak, thanks for the headsup
[16:04] <rbasak> np!
[17:13] <Qantourisc> WARNING: do not run: kill -sSIGTERM 1
[17:13] <Qantourisc> According to man it should shutdown
[17:14] <Qantourisc> In my case it just reloads
[17:21] <lordievader> Why would you want to kill init?
[17:21] <RoosterJuice> hi there, my web server seems to have been exploited and my IP is being blocked for performing brute force login attacks... How can I fix this and remove any script that is causing this to happen?
[17:21] <RoosterJuice> my isp received an email from blocklist.de
[17:22] <patdk-wk> RoosterJuice, reinstall
[17:22] <patdk-wk> maybe even throw the hardware in the trash and replace it also
[17:22] <patdk-wk> with the new smm cpu hack
[17:22] <RoosterJuice> anyone with a real answer?
[17:22] <patdk-wk> that is a real answer
[17:23] <patdk-wk> how else will you guarrentee NOTHING exists from them?
[17:23] <patdk-wk> and that it is secure from them doing it again?
[17:23] <RoosterJuice> it's a VPS
[17:23] <lordievader> It depends on the type of exploit, if the uefi firmware is exploited a reinstall won't help.
[17:23] <patdk-wk> well, throw that vps away, and build up a new one
[17:24] <Qantourisc>   /w 25
[17:40] <Qantourisc> lordievader: not kill init, request a shutdown
[17:41] <lordievader> Sounds like a bad idea, nonetheless.
[17:42] <Qantourisc> lordievader: well it's how lxc requests a shutdown to quest when the os has no /dev/initctl
[17:42] <Qantourisc> lordievader: and the manual of init (of upstart) specifies SIGTERM == request shutdown
[17:43] <lordievader> I see, that is why it is strange to me ;)
[17:45] <Qantourisc> lordievader: maybe i should install a full VM to test sigtem
[17:45] <Qantourisc> but it feels like overkill, installing a full ubunut to test 1 thing :p
[17:48] <Qantourisc> Don't suppose anyone has a ubuntu running they want to shutdown right now ? :D
[18:01] <pmatulis> Qantourisc: get serious
[18:16] <blizzow> I have a 13.10 server that I'm trying to do-release-upgrade on.  do-release upgrade ran and exited prompting me to reboot, so I did that.  After the reboot, I was still at 13.10 on my splash screen.  So I tried again, and still got the same thing.  lsb_release -rc returns 13.10/saucy as well.  I tried doing apt-get dist-upgrade and it shows a huge list of packages to be upgraded, and goes through extracting templates from packages then preconfiguring
[18:16] <blizzow> Anyone know how I can get my release upgrading?
[18:19] <blizzow> I tried to remove all packages in /var/cache/apt/archives/
[18:20] <patdk-wk> sounds very odd
[18:20] <patdk-wk> it shouldn't work at all
[18:21] <genii> Saucy packages should now be in old-releases.ubuntu.com, might want to put that in your sources.list instead of the old default ones. Then dist-upgrade and then do-release-upgrade
[18:33] <blizzow> swapped out archive.us.ubuntu.com to old-releases.ubuntu.com and put saucy back in place of trusty.  did an apt-get update/apt-get dist-upgrade.  Said 0 packages needed to be upgraded.  So I did a do-release upgrade, I'm getting all kinds of 404 errors trying to pull repos and even a hash sum mistmatch. :(
[18:43] <blizzow> Can't seem to figure a way out of this morass.
[18:45] <sarnold> blizzow: do you have any apt-cacher-ng configured? I wasted a few hours chasing hash sum mismatches with it before finding out that uit was buggy in some releases .. or entirely buggy ..
[18:47] <blizzow> no apt-cache stuff enabled on this machine.
[18:52] <blizzow> yikes, now when running dpkg --reconfigure -a I get "cannot execute binary file"
[18:54] <sarnold> blizzow: check dmesg?
[18:54] <sarnold> blizzow: I think that error message happens mostly when there are architecture mis-matches, e.g. trying to run an x86 compiled binary on armhf, for example, but maybe you've got a dying drive or something simlar
[18:55] <blizzow> nothing in dmesg output that would indicate running wrong arch or filesystem issues.
[18:58] <blizzow> Deleting the contents of /var/cache/apt/archives/ and re-attempting shows all downloaded packages are amd64 arch as well.
[19:19] <blizzow> okay, I think I'm making some progress. I copied the latest dpkg from /var/cache/apt/archives/ and did an ar -vx dpkg_1.17.5ubuntu5.4_amd64.deb.  I then copied the the extracted files into the same locations in / .  dpkg-reconfigure -a "fixed" some packages.  Now running a dist-upgrade is upgrading and reconfiguring all kinds of stuff across the board.Are there other steps do-release-upgrade does that changing sources.list and running apt-get dist-up
[19:21] <ogra_> yes, a lot ...
[19:21] <ogra_> (you got to check the source for details though, but it also helps handling transitions etc)
[19:24] <blizzow> assuming all the packages successfully get dist-upgraded to trusty. is do-release-upgrade smart enough to do the rest of the transition steps after the fact?
[19:24] <blizzow> never mind, I guess, I'm forced to figure this out for myself in a minute ;)
[19:38] <hallyn> zul: smb: neither of you planning a wily libvirt update?
[19:39] <zul> hallyn: nope focus is else where
[19:58] <hallyn> eeeeeexcelent
[20:07] <hallyn> zul: smb: going to test a bit more, but then probably push libvirt-stop-guests
[20:08] <hallyn> (minus some tab/space cleanup)
[20:26] <jcastro> zul: someone on twitter is asking, what was our first ubuntu that did maas/juju for openstack?
[20:26] <jcastro> zul: page is asleep probably so I'm deferring to you. :)
[20:28] <jcastro> I wanna say 12.04?
[21:02] <thebwt> 10.04 was still euca wasn't it?
[21:04] <thebwt> jcastro: http://www.zdnet.com/article/canonical-switches-to-openstack-for-ubuntu-linux-cloud/
[21:04] <thebwt> 11.10
[21:05] <jcastro> we didn't maas back then did we?
[21:05] <jcastro> man, it's all like a blur
[21:26] <arcsky> Anyone have configured openSSH to authenticate to a Windows 2008 NPS?
[21:29] <patdk-lap> what is an nps?
[21:29] <patdk-lap> never heard of this thing before
[21:30] <patdk-lap> oh, it's the replacement for the old radius server
[21:30] <patdk-lap> openssh can't auth against that, won't work
[21:40] <tarpman> patdk-lap: why not? libpam-radius-auth exists
[21:41] <patdk-lap> ya, pam would support it
[21:41] <patdk-lap> but openssh doesn't
[21:41] <patdk-lap> openssh -> pam -> radius -> windows nps
[21:42] <patdk-lap> but one cannot configure openssh to auth against nps as he asked though :)
[21:42]  * tarpman waves hands vaguely
[21:43] <trippeh> windows, could you just auth with AD (kerberos) instead? :P
[21:43] <patdk-lap> yes
[21:43] <patdk-lap> that is what I do
[21:44] <patdk-lap> and you have several ways you could do that
[23:04] <PGNd> Could anyone up on latest Debain latest kernel pls check their value for `grep -i 6RD /boot/config-$(uname -r) && uname -r` (or the equivalent location ...) ?  Looking for distro support for 6RD ...
[23:05] <PGNd> Oops, ubu-svr
[23:06] <bekks> PGNd: In here, you will find users with the latest Ubuntu kernel ;)
[23:06] <PGNd> bekks: right, hence the "Ooops" ...
[23:09] <sarnold> PGNd: CONFIG_IPV6_SIT_6RD=y 3.13.0-57-generic
[23:11] <sarnold> PGNd: this is missing vivid and wily for some reason, but might be useful http://kernel.ubuntu.com/~kernel-ppa/configs/
[23:11] <PGNd> sarnold: Thx.  That's 'latest' kernel version @ ubuntu-server?
[23:11] <PGNd> Ah, thx
[23:11] <sarnold> apw: http://kernel.ubuntu.com/~kernel-ppa/configs/ is missing vivid and wily
[23:12] <sarnold> PGNd: well, "latest" is slightly difficult to specify -- I haven't rebooted in a while, this laptop is on 14.04 rather than 15.04, but and 14.04 has multiple supported kernel series on it anyway...
[23:12] <sarnold> "but and". wow.
[23:14] <PGNd> sarnold: heh.  typing & grammare are the 1st to go ...   the link's good enuf. thx.
[23:14] <sarnold> PGNd: hehe :)