=== markthomas is now known as markthomas|away
=== Lcawte is now known as Lcawte|Away
=== markthomas|away is now known as markthomas
KnightmareDoes anyone know if it's ok to use lxd on a home server? I want to replace kvm as my main hypervisor.06:53
lordievaderGood morning.07:06
sysrexGood morning everybody07:32
ld2412Hello guys. Can anyone help me to setup an Ubuntu Server with full disk encryption?08:26
ld2412I've been googling around but haven't find anything like a guide08:26
ld2412May be someone have a guide so please share a link08:28
RoyKld2412: it's a choice during installation08:28
ld2412But if a rent a server (dedicated) and os is already installed08:28
ld2412I mean this case08:29
RoyKld2412: not sure how to encrypt an existing system08:29
ld2412RoyK: nevermind. I'm sure it's possible and it's somehow connected with KVM thiing08:30
TJ-Encrypting an existing file-system using LUKS/dm-crypt?08:31
ld2412TJ-: How to decrypt hdd after a reboot?08:31
TJ-ld2412: That depends on how it was encrypted :)08:32
ld2412So, can you help me with it? :)08:32
TJ-ld2412: Give some specifics and I may be able to08:34
TJ-Ahhh... silent encryption, eh, sneaky!08:39
ld2412TJ-: I've sent you messages08:40
TJ-ld2412: Please keep the support messages in the channel so others can learn from the issue08:41
ld2412The example08:42
ld2412I rent a dedicated server08:42
ld2412It comes with default Ubuntu Server 14.0408:42
ld2412That's it08:42
ld2412Full disk encryption is needed for that server08:43
ld2412I have just ssh root shell access08:43
TJ-ld2412: OK... well first off, anyone with physical access will be able to circumvent any encryption08:45
ld2412That is clear :)08:46
ld2412But still08:46
TJ-ld2412: so what attacks are you looking to prevent. Encryption will protect the data if the server is powered off, but as soon as it powers up and is active, the block devices are available unencrypted and the key is in memory08:46
ld2412You have already named the reason - protection when server is powered off08:47
TJ-ld2412: Well, it's unusual to have a dedicated server that isn't powered on :)08:48
ld2412That is true :D08:48
ld2412But stiil, encryption is needed08:48
TJ-ld2412: that said, you can configure an initrd.img with a small ssh client that can connect out to get a key to unlock encrypted devices08:48
TJ-ld2412: it's much better to protect individual files/sets of files, if the aim is to protect personal data in, for example, databases08:49
RoyKld2412: usually, with full disk encryption, you'll have to type a password on the console to unlock it - for a headless machine, that's a bit tricky08:49
RoyKld2412: and storing the password in the bootup renders encryption rather useless08:50
* RoyK encrypts all his data with ROT13 - twice!08:50
TJ-ld2412: If you want to protect data areas but the OS doesn't need encryption, then that makes it slightly easier since you can wait for the init system to start before needing to handle unlocking the encrypted device(s)08:50
TJ-RoyK: That is so secure with UTF-16 :)08:51
RoyKld2412: if you're really paranoid, setup your own hardware :P08:52
ld2412I can't setup my own :)08:52
lordievaderRoyK: 2x rot13 is the best security! By far.08:52
lordievaderld2412: Ain't it better to make luks containers for your critical data rather than go full disk encryption?08:53
ld2412I think FDE is better08:53
ld2412I dont mind typing a password on each reboot08:53
ld2412Is there any guide on the internet? I haven't found one08:54
RoyKld2412: do you have console access or just ssh? also - why so scared? the ISP will gain access if they want to08:54
ld2412I have only ssh08:54
ld2412That's my personal "features" :D08:55
ld2412Please help guys08:55
TJ-lordievader: FDE and LUKS are orthogonal. LUKS is simply a way to manage the keys of a dm-crypt device08:55
RoyKld2412: well, as TJ- said, you can probably get sshd into the initrd to help, but setting this up on a machine without console access will be hard - I've never tried it...08:56
lordievaderTJ-: I know. I was targeting encrypted lvm volumes.08:56
ld2412I one provides me with step by step guide I will thank that person via bitcoins :)08:56
TJ-ld2412: if you use FDE first of all, it won't be FDE, what it will be is root file-system file-system encryption. you'll need a separate unencrypted /boot/ file-system containing GRUB and the kernels/initrd.img08:56
RoyKld2412: why on earth would you bother with encrypting the root?08:57
ld2412Of course boot leaves unecrypted08:57
ld2412I am a bit more than average user, so not all the things you guys say are clear08:58
TJ-ld2412: install a sttically linked ssh client in the initrd, that is hard-coded to contact your key-server via a key-script, and then crypsetup's cryptroot update-initramfs scripts can do the rest08:58
RoyKld2412: this is a bit on the advanced side ;)08:58
ld2412RoyK: That is why advanced help is needed :)08:59
TJ-ld2412: some people install dropbear in the initrd, the micro-ssh-server, and have it wait for incoming connections from a key-delivery system, also, but I prefer the call-out method08:59
lordievaderPersonally I don't think it is worth the trouble.09:00
TJ-ld2412: I've been working on ssh support in GRUB so GRUB's LUKs encryption can be used remotely too, to allow the /boot/ file-system to be remotely unlocked. Currently it requires console access to unlock GRUB's root file-system09:01
ld2412TJ, would you like to help me tet-a-tet and I will pay your time?09:02
TJ-ld2412: no thanks, I've got enough of my own to do09:03
TJ-ld2412: pro tip... practice in a simple local VM guest until you're confident it works and you understand it09:04
ld24121Sorry, my interned connection failed and I was disconnected09:07
TJ-With servers that my contain confidential info a better solution is to use per-application encryption that encrypts its data before writing to disk, such as in databases, so even if the files are compromised the contents are safe09:07
=== ashleyd is now known as ashd
=== justizin_ is now known as justizin
=== Lcawte|Away is now known as Lcawte
CelphishHello everyone!09:53
CelphishGot a quick question for you:09:53
CelphishIf I have a server, on which I run a very important web-service for our business, and I want to add two drives to fstab and then type "mount -a", will anything be interrupted or will the new drives just be added?09:54
lordievaderThe second.09:54
Celphishlordievader: so mount -a doesn't do anything to the already mounted?09:55
Celphishnot that I don't believe you lordievader but I need to be 200% sure, can someone confirm?09:59
dasjoeA "very important web-service" should be built in a redundant way10:00
TJ-Celphish: test it locally10:02
rbasakmagicalChicken: how do you feel about bug 869017? Are you happy to post to ubuntu-devel?10:22
ubottubug 869017 in kbd (Ubuntu) "Ubuntu server enables screenblanking, concealing crashdumps (DPMS is not used)" [Medium,In progress] https://launchpad.net/bugs/86901710:22
RoyKCelphish: well, of course, I use it regularly, but as dasjoe says, make it redundant10:27
rbasakmdeslaur: around? I'm looking at sponsoring bug 1394403 - as you're looked at it before I'd like your opinion please.10:30
ubottubug 1394403 in apache2 (Ubuntu Trusty) "RewriteRule of "^$" is broken" [Medium,Confirmed] https://launchpad.net/bugs/139440310:30
rbasakwhen I asked magicalChicken to look at it I didn't realise the upstream fix would add a configuration directive. But it looks like it's safe as it defaults to the same behaviour. Had you considered this already? Does it also look reasonable to you?10:31
rbasakI also think we should include the documentation update in our backport - better than not having it in the SRU IMHO.10:31
rbasaksmoser: reminder to look at bug 1481337 when you can please.10:34
ubottubug 1481337 in keepalived (Ubuntu Wily) "keepalived makes a floating IP available on more than one host after configuration reload" [Undecided,Confirmed] https://launchpad.net/bugs/148133710:34
rbasaksmb: thank you for driving bug 1483214! Looking good.10:35
ubottubug 1483214 in linux (Ubuntu Vivid) "ipmi_si module spams kernel log with "ipmi_si 00:05: Could not set the global enables: 0xcc."" [Medium,Fix committed] https://launchpad.net/bugs/148321410:35
smbrbasak, np, should be getting out as this cycle closes10:36
mdeslaurrbasak: I'm ok with the new config option...I've added options before to packages as security updates, so it's not like we haven't done it before. The option will change the behaviour though, but cases where it will break something are unlikely11:10
mdeslaurrbasak: for the documentation, meh...if it were man pages, I'd push for it...but the static web documentation, meh11:10
mdeslaurrbasak: especially since there are localized versions of the documentation and we'd only be updating the english version11:10
Azarili cant get random_delay to work in /etc/crontab11:11
mdeslaurrbasak: the only thing is perhaps add what the option is and how the default has changed to the changelog11:11
Azarilevery job runs exactly on the minute11:13
Azarilthat its "supposed" to11:14
rbasakmdeslaur: OK. Thanks!11:16
jpdsAzaril: No mention of RANDOM_DELAY on "man crontab"11:25
SeerKan`Hi guys11:48
SeerKan`If I mount a gluster volume from server1 with server2 as backup with the fuse mount, I understand that once server1 is down it will use server2 automatically. But what happens when server1 is back ? will it start automatically use server1 even if it doesn't have the latest data or keep using server2 until it goes down and then go back to server1 ?11:48
Azariljpds: having gone through a lot of google, apparently ubuntus version doesnt support it11:51
jpdsAzaril: Not mentioned in the manpage. :)11:51
Azarilyeah, not in ubuntus11:51
Azarilill have to do it by hand11:51
teward(whee wordpress exploded)12:15
tewardrbasak: FYI, i've downloaded the nginx package from Debian Unstable, and am test-building it without changes before pushing to PPAs...12:15
tewardso the latest 1.9.x will be 'available' via that PPA12:15
rbasakteward: sounds good. Thanks!12:21
tewardhas anyone seen sarnold, I think he was lookin for my writeup on my Landscape-and-Gitlab-On-the-Same-Server blog post on my headaches and solutions for everything on the same server xD12:21
tewardrbasak: no problem12:21
=== ws2k3_ is now known as ws2k3
magicalChickenrbasak: Oh, yeah, I need to ask the mailing list if they think it's a good idea. I'll send that email out this afternoon.12:30
CelphishQuick question, when I typ lsblk or fdisk -l, I see the same disk appear both as sdb and sdc, any way to get rid of sdc?12:55
TJ-Celphish: same disk? sounds like some symlinks or device nodes are stale12:56
CelphishTJ-: looks like it's the same disk yes12:56
CelphishTJ-: how do I check if it's the same, I've been fiddling with this for a few hours now, haha12:57
RoyKCelphish: do you have multipath somehow?12:58
TJ-Celphish: there are symlinks under /dev/disk/   check out "ls -l /dev/disk/by-id/" and look at the names/serial numbers and where the symlink points to, and follow the trail12:58
RoyKCelphish: I've seen same disk appearing twice if it's connected on multipath12:59
RoyKCelphish: if that's the case, setup multipath in linux12:59
beisnerhi coreycb, ready for me to push from proposed to updates in Kilo cloud archive?  FYI, this is the proposed vs. current updates list:  http://paste.ubuntu.com/12199098/13:01
coreycbbeisner, probably should wait until after 4:30 pm to officially have it in proposed for +7 days13:02
* beisner moves finger off the trigger13:02
beisnercoreycb, gotcha13:02
coreycbbeisner, the list looks good, thanks!13:03
CelphishRoyK: well, it was used faulty before, I haven't used it though.. When I did what TJ- said, it looks like one number points to sdc, and then the same number with the addition of "-part1" points to sdb1...13:03
beisnercoreycb, ok thanks for confirming.  I'll push later today.13:04
=== martins-afk is now known as martinst
TJ-Celphish: is it using multipath? how is the device connected?13:08
TJ-Celphish: also, check "/var/log/kern.log" and look at the messages when those devices are added by the kernel, that might give a clue13:08
CelphishTJ-: not sure tbh, think it's connected with fiber optic cable somehow13:09
RoyKCelphish: pastebin output of 'smartctl -i /dev/sdc' and similar for sdb13:09
CelphishRoyK: not installed on the server, smartctl, not sure I want to install it either since it's a production server13:12
TJ-Celphish: possibly "sudo dmsetup info" might give come clues13:13
CelphishTJ-: no devices found13:13
TJ-resort to the logs then :)13:13
RoyKCelphish: it should be installed :)13:16
RoyKCelphish: install smartmontools13:16
RoyKCelphish: it's very nice for monitoring and reporting things13:16
CelphishRoyK: I'm just a tad restrictive when it comes to install anything on a server that's in use by all our customers atm13:17
RoyKCelphish: it comes with smartd, monitoring physical disk health13:17
RoyKwell, uninstall it later, then13:17
CelphishTJ-: there are some interesting entries in the log but I'm not sure what they mean, haha :D13:27
Celphishalot of "device-mapper........ error getting device13:27
Celphishwith a "multipath" in between13:27
Celphishbut we've flushed all mp, there are none left13:27
TJ-Celphish: looks like stale device references then, not sure how they aren't identical though13:32
TJ-Celphish: you'd expect sdb sdb1 sdc sdc1 really13:32
CelphishTJ-: ye, that's what I suspected too... but how do I correct / remove stale references?13:51
TJ-Celphish: remove the nodes13:52
TJ-Celphish: and any sym-links of course13:52
CelphishTJ-: sorry for lacking the knowledge, but please elaborate on how13:55
TJ-Celphish: if you're not familiar with such basic tasks, I would recommend getting a capable sysadmin to deal with it. you said it is a production server.13:56
rbasakrharper: around? I'd like to talk about bug 1481289.14:11
ubottubug 1481289 in php5 (Ubuntu) "PHP 5.5.9 Default socket timeout being not honoured by application" [Medium,Incomplete] https://launchpad.net/bugs/148128914:11
rharperrbasak: here14:11
rbasakrharper: thank you for investigating the bug. It's turned out to be much more complicated than applying a simple patch (don't they all!) but at least that's clear now so it doesn't look like we're just ignoring people sending patches.14:12
rbasakrharper: I'd like to either get an SRU landed though, or drop it off my list for driving.14:12
rharperrbasak: indeed;  it's rather complicated w.r.t what's actually needed14:13
rbasakrharper: ah, so it's not a "minimal fix", right?14:13
rharperthere's nothing definitive in the referenced bugs that cleanly applies14:13
rharperand the upstream versions that are fixed are rather significantly modified in that area14:13
rbasakThe bug status should still be Triaged though - as it's about whether the bug is valid rather than if we have a readily available fix.14:13
rharperthey went through a number of iterations to get things working right14:13
rharperah, ok14:14
rbasakI gave you the bug because I thought it was trivial, rather than because it has a large user impact.14:14
rbasakSo I think it's fine to drop it on that basis, while inviting others to provide a minimal patch for SRU.14:14
rharperright, if we get a simpler patch (or any set of patches) I'd be happy to re-review that for SRU14:15
rbasakCould you maybe explain what you think is required to drive the bug further in the bug itself, and then withdraw and unassign yourself? Assuming we don't want to work on it ;)14:15
rharperrbasak: sure14:15
rbasakrharper: is there anything you're waiting on me for BTW? I'm trying to go through all the bugs I'm tracking but don't see anything else from you on my list.14:16
rharperrbasak: no;  I have the other bug related to puppet service status that I need to pick back up but that's not waiting on you, just me14:17
rbasakOK, np. Thanks!14:17
CelphishTJ-: well, they don't have any responsible syadmn :)14:18
smmoCoffeeIs this the right channel to discuss ubuntu openstack installation as a single installer without maas?14:30
rbasaksmmoCoffee: I'm not aware of a better place if it doesn't involve MAAS. Try asking your question.14:40
smmoCoffeerbasak: We're wondering if there are any recommended procedures for running openstack-install behind a proxy server14:48
rbasakstokachu: ^^ are you the right person to help smmoCoffee?14:51
smmoCoffeerunning it with the http-proxy argument helps, but I'm finding with a self signed certificate used by the proxy server14:51
rbasakdanwest: ^^14:52
danweststokachu, can you answer the proxy question for smmoCoffee?14:52
smmoCoffeewe're the there is an insecure option that might be passed to ignore the self signed cert14:52
RoyKsmmoCoffee: if you use a linux server as the router/proxy, you could setup transparent proxing14:53
smmoCoffeewe have no direct access to the proxy server14:54
danwestsmmoCoffee, looks like there is a proxy option [--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY]14:54
smmoCoffeelogs for the bootstrap lxc container show errors with curl14:54
RoyKI've never installed openstack, so sorry14:54
stokachusmmoCoffee:we have cli options that you can set to run behind a proxy, --http-proxy and --https-proxy14:55
stokachuhave a look at openstack-install --help14:55
smmoCoffeedanwest: yes, that's how I'm running and that is allowing us to actually get to whitelist sites like entropy.ubuntu.com14:55
stokachuoh self signed certificate14:56
RoyKdon't we just love those? ;)14:56
smmoCoffeecurl: (60) SSL certificate problem: unable to get local issuer certificate14:57
stokachuyea we don't implement a way to accept insecure certificates14:57
smmoCoffeethat appears in the bootstrap container clould init log14:57
stokachuwhats the full command thats being run14:57
stokachueverything we query for shouldn't be pulling in any self signed certificates14:58
rbasakI get the impression that smmoCoffee has a MITM proxy that expects you to have installed its CA in every client.14:59
rbasak(or bypass warnings)14:59
stokachuyea makes sense14:59
smmoCoffeeopenstack-install --http-proxy $PROXY_SERVER:$PROXY_PORT --https-proxy $PROXY_SERVER:$PROXY_PORT14:59
stokachusmmoCoffee:whats the output from the log where it fails14:59
stokachuyou can paste.ubuntu.com that14:59
rbasakSO I guess a proper solution is to install the CA everywhere (every container etc) where it is needed.15:00
rbasakThis might need cloud-init support for an ideal solution.15:00
RoyKthe proper solution is to use proper certificates15:00
rbasakAn MITM SSL proxy is reasonable in a controlled environment for consenting adults IMHO.15:01
rbasakOtherwise it's just something that tunnels through firewalls defeating their ability to keep you safe.15:01
stokachui wish the internet was more trusting15:01
stokachuso i wouldnt have to lock my doors at night15:01
RoyKstokachu: don't we all :P15:01
rbasakAnd being Free Software we should be free to run our own CAs if we wish. So this reduces to a feature request :)15:02
smmoCoffeejust as the ubuntu pastebin  url?15:04
stokachuyea just paste it at that url and post the link here15:04
stokachusmmoCoffee:youre running an older openstack-installer15:06
smmoCoffeeHere's higher level logging from the commands.log15:06
stokachufollow ^ that guide as that is the version that will end up in the ubuntu archives15:06
smmoCoffeeok, thanks. So we should use ppa:cloud-installer/experimental15:07
stokachuthe pollinate command should work behind a proxy so I think using the latest installer fixes all that15:07
smmoCoffeestokachu: thanks for confirming15:08
stokachunp, also you can find us in #ubuntu-solutions if you need anything further15:09
KnightmareA question for those in the know. Can I replace KVM with LXD?15:51
jpdsYou can't just migrate from one to the other15:52
tewardany landscape pros here?  (got a question about the actual Landscape Dedicated Server software)15:53
KnightmareI don't want to migrate. I was just wondering if I could use lxd instead of KVM.15:53
shaunoit depends what for.  you can use a shoe as a hammer, but not a hammer as a shoe.15:55
jpdsteward: Yes15:55
tewardjpds: what part of LDS listens on 8080?  And is it possible to make it listen elsewhere15:58
jpdsteward: I think that's the appserver15:58
teward(say, 28080 or similar, because portconflicts)15:58
jpdsteward: Why do you already have something on there?15:58
RoyKKnightmare: some prefer lxd over KVM - it will share resources better, but IMHO, KVM is nice15:58
tewardjpds: good question, it's more a hypothetical question :p15:59
tewardjpds: because it's an experimental system, so exploring it is different than production deployment15:59
tewardthere's quite a lot of cruft there15:59
teward(experimentation vlans ftw)15:59
jpdsteward: I always install LDS on a new VM15:59
tewardjpds: remove VM from the equation - my ESXi box that runs VMs decided to blow up on me16:00
tewardso i'm still hunting a replacement/warrantyfix16:00
teward(so it's on a barebones test system for now)16:00
tewardi was more curious what's listening on 8080 rather than changing the port :P16:00
jpdsteward: Apache just mod_proxy's stuff to the relevant component/appserver based on URL16:01
tewardright, which i discovered is fine, except for when you have one IP, many domains, then you need reverse proxies :/16:02
teward(I am also NOT an apache guru :P)16:02
tewardjpds: a lesson in how NOT to run things: I am temporarily putting LDS on my gitlab barebones box :/16:02
teward8080 is conflicted because Gitlab's Unicorn is on 808016:02
teward(I fixed that easy)16:02
tewardas i said16:03
tewardmy esxi box decided to nuke itself :/16:03
jpdsKVM is lovely :-)16:03
tewardmaking it WORK is not hard once you fix the port conflict16:03
tewardjpds: too bad it doesn't like this box16:04
tewardin either case - http://dark-net.net/?p=100 is my musings and discovery16:04
jpdsteward: Why doesn't it like that box?16:04
tewardjpds: old16:04
teward(old converted desktop, my guess is virtualization isn't present in BIOS/CPU chipset16:04
tewardjpds: interesting tidbit...16:04
KnightmareRoyK: Thanks for the advice!16:04
jpdsSo, ESXi isn't painful for you?16:04
tewardjpds: landscape-client refuses to recognize valid SSL on a Landscape server16:05
RoyKKnightmare: IMHO KVM (or other virtualisation software) is far better in security terms - it's total isolation, not merely smart chrooting16:05
teward(i.e. a valid SSL cert from an SSL certificate provider)16:05
jpdsteward: Weird16:05
tewardjpds: it required me to copy in the CA chain and provide it via the cli arguments16:05
tewardjpds: that *may* be a bug, but meh16:05
teward(it's a Comodo wildcard cert)16:05
jpdsteward: It'll use whatever the Ubuntu ca-certificates uses16:05
tewardweird because curl worked fine to recognize the SSL as valid16:06
tewardlandscape-client didn't16:06
teward(so did Firefox, and Chromium, and w3m even)16:06
tewardalso a funny story about Landscape - things run in KVM are sometimes NOT recognized as a VM16:06
tewardand as barebones hardware instead16:07
jpdsteward: landscape-client uses gnutls instead of openssl, which is slightly more stricter about certs16:07
* teward shrugs16:07
jpdsteward: Yeah, did you expose the host cpu flags to the guest?16:07
tewardjpds: wasn't my system, the other sysadmin set that one up16:07
tewardmy guess is 'maybe'?16:08
tewardmy experimental test instances only have VMs16:08
KnightmareRoyK: I've got a HP Microserver and just want to make the most of the resources.16:09
tewardjpds: another question if you have a moment - any way to get more than those 20 free licenses?  I assume one has to buy the advantage licenses, but my question is are they the same price, or do the prices on the canonical store reflect the Canonical-run Landscape instance?16:09
RoyKKnightmare: what sort of cpu? how much memory?16:10
jpdsteward: You have to buy licenses16:10
KnightmareRoyK: http://n40l.wikia.com/wiki/Base_Hardware_N54L16:10
tewardjpds: i know that, but are they the same licenses listed on the Ubuntu Advantage pages, or does one reach to Canonical Sales about pricing16:11
RoyKKnightmare: if kvm doesn't do the job, try lxc, or get some better hardware ;)16:12
jpdsteward: talk to sales16:12
tewardjpds: thank you!16:13
KnightmareRoyK: I don't need serious hardware for what I want to run. Just want to be a efficient as possible :)16:13
RoyKKnightmare: lxc is probably the best thing for that16:15
Beretteward, do you have an account on landscape.canonical.com?16:17
Beretteward, the hosted Landscape?16:17
rbasakjgrimm: I agree with you on bug 1397250 - I'd like *someone* (even if it's the reporter) to be able to reproduce it, or at least still be affected by it, before we attempt an SRU.16:37
ubottubug 1397250 in libnss-ldap (Ubuntu) "SIGPIPE not caught in do_atfork_child()" [High,Triaged] https://launchpad.net/bugs/139725016:37
jgrimmrbasak, thanks.. i was going to ping you for opinion on that. hopefullly someone can actually recreate the bug..16:41
jgrimmrbasak, i find it rather curious that the test reproducer didn't even hit the function that is patched as part of the fix when i enabled debugging.16:43
jgrimmrbasak, but has been an excellent learning exercise none-the-less16:43
tewardBeret: no, Landscape Dedicated Server, the personal-run one16:44
tewardNOT the cloud landscape.canonical.com16:44
tewardif I had the hosted landscape I'd have a support ticket in, not asking questions here :)16:44
jgrimmrbasak, would this actually be SRU'able even?  I can't think that this is hitting that many folks..16:46
rbasakjgrimm: if someone's actually impacted (rather than it being theoretical) then I wouldn't block doing an SRU on that basis (though time and resource is a separate thing, I'm always happy for an affected user to drive).16:47
rbasakjgrimm: OTOH, if we can't actually find anyone impacted because it's theoretical or that person has moved on and doesn't trigger it any more, then I see no point in risking regression by doing an SRU.16:48
rbasakThat's my personal opinion, anyway.16:48
jgrimmrbasak, that's my concern too16:48
tewardmmm... jpds, Beret: did either of you invite me to landscape.canonical.com for some reason?17:19
Beretteward, yes, do you not see my private messages?17:20
jpdsteward: He's onto you17:20
tewardBeret: +g17:20
teward(i get too much PM spam, being an op in bitcoin chans)17:20
teward(so I have umode +g on, which blocks PMs)17:20
Beretnot ideal17:21
tewardBeret: feel free to resend if you wish :)17:21
Beretpaste coming your way17:21
tewardBeret: getting spammed by 300+ bots is less ideal17:21
Beretget it this time?17:21
tewardBeret: yep!17:26
smmoCoffeehi, question about installing openstack per the single installer guide http://ubuntu-cloud-installer.readthedocs.org/en/latest/single-installer.guide.html17:52
smmoCoffeethe top level container is failing to initialize17:54
smmoCoffeea process execution error is thrown where the single_install python script tries to run pollinate command17:57
=== Lcawte is now known as Lcawte|Away
kirklandsmmoCoffee: the pollinate command should fail gracefully, quietly18:10
kirklandsmmoCoffee: is it not?18:11
kirklandsmmoCoffee: can you paste some logs?18:11
acmehandleI have a dump question.  I'm running nginx.    I set up a self signed certificate a few months ago.  everything worked great.  I checked it against site certificate ssl/tls checkers and it was getting high marks.    I bought a certificate and I guess I used the wrong key or something.  I forgot the whole process from a few months ago.  Right now I keep getting the same self signed certificate warning in the browser.18:13
=== lifeless1 is now known as lifeless
pmatulisacmehandle: check the nginx documentation to be sure19:11
smmoCoffeekirkland: here's the commands.log http://paste.ubuntu.com/12201532/19:15
kirklandsmmoCoffee: so, first, I should mention that https_proxy= is a really bad idea, from a security perspective19:17
SCHAAP137acmehandle, it might be that the selfsigned cert is still in your /etc/nginx/nginx.conf, while you defined the website and its new "legit" certificate in a config file in /etc/nginx/sites-enabled/19:17
acmehandleYes, seems I was passing the old csr to the cert issuer19:18
acmehandleHad to regenerate new server.key and new server.csr19:18
kirklandsmmoCoffee: next, can you try adding "-i" to the list of pollinate flags?19:18
acmehandlenow I have an ocsp server has not status of certificate.  But that appears to be that it requires to take a little time to resolve with the CA or something.19:19
SCHAAP137make sure to use an SHA-2 hashing function for the CSR, or your Chrome users will get the SHA-1 security warning when visiting the site19:21
acmehandleYes, Sha256 204819:21
SCHAAP137you could also generate custom DH parameters19:21
smmoCoffeekirkland: so try running the installer as: openstack-install --upstream-ppa --https-proxy= -i19:21
acmehandleI was thinking of going all the way to 11 by using 4096...but in todays world I dont know if anyone cares19:21
SCHAAP137strengthens it a bit more19:22
SCHAAP137i use 4096 for mine19:22
acmehandleOh, cool.19:22
kirklandsmmoCoffee: sorry, no19:22
acmehandleI generated a dhparam.pem using 409619:22
acmehandledont know if that matters,19:22
SCHAAP137getting the 100/100/100/100 mark on ssllabs.com is not that hard either19:22
acmehandleor if it will cause a problem19:22
acmehandleNot if you have a vague idea of what youre doing   :-)19:22
acmehandleWhich is pretty much what I have19:23
acmehandleBut as long as its secure I dont care.19:23
SCHAAP137hehe, if you're using a 2048 bit cert, 2048 bit dhparams would be sufficient, but more is even better19:23
SCHAAP137generally speaking19:23
SCHAAP137as long as it's not less19:23
acmehandleThis was really more of an exercise for me.  To gain some experience.  But with everyone moving to clouds I dont know if anyone cares anymore.  Besides me.19:24
patdk-wkgetting 100/100/100/100 and maintaining a USABLE site, is hard :)19:24
smmoCoffeekirkland: where/how is the pollinate flag "-i" passed or configured?19:24
acmehandleDo you have ocsp as well SCHAAP137?19:24
kirklandsmmoCoffee: it's in the cloud-init userdata19:24
SCHAAP137in apache i got OSCP to work, but with my current setup OCSP fails, haven't figured out why yet19:25
kirklandsmmoCoffee: sorry, I don't know about the openstack-install19:25
SCHAAP137i got HPKP though19:25
SCHAAP137current *nginx setup19:25
SCHAAP137might be SNI related, not sure19:25
SCHAAP137if you want the CHACHA20-POLY1305 ciphersuites, you could recompile nginx with LibreSSL btw19:26
acmehandleHas it been 12-24 hours?  My 'resources' inform me that in some cases thats how long it takes to resolve.  I just got it to this point a few minutes ago19:26
acmehandleDo I need it?19:26
acmehandleI dont even know anymore.19:26
SCHAAP137hmm, really? i might just have been impatient19:27
SCHAAP137OCSP could protect your clients from some forms of MITM, theoretically19:27
acmehandleSo I have read.19:27
acmehandleSome of what I've read says that with chrome the sites work right away. Firefox often has that delay with ocsp19:28
SCHAAP137it would require quite a skilled attacker though19:28
acmehandleI just opened up chrome and was able to access my site.  So that confirms taht much of the theory19:28
acmehandleHow does a MITM attack work nowadays?  Are all those points out there that insecure that someone can break in to them?19:29
acmehandleI'm naive about this.19:29
SCHAAP137one could employ this: https://mitmproxy.org/19:29
acmehandleI just know to try to plug up whatever vulnerabilities I might have19:30
patdk-wkocsp only protects you from a revoked certificate19:31
patdk-wkso, you have to know your certificate was compromised19:32
patdk-wkand revoke it19:32
patdk-wkbefore using oscp gains you any protection19:32
smmoCoffeekirkland: looks like openstack-install uses configuration found in ~/.cloud-install/userdata.yaml for the pollinate command19:37
SCHAAP137allright, got OCSP working now as wlel19:50
prudentmavI'm new to server admin... Just created a vps at digitalocean with a lamp stack.  When I use adduser, is there a way to have a few additional things happen when a new user is created?  for example, in addition to creating the user, it creates a folder coping contents from a temp folder for the temp landing page then create a file in sites-available from template with variable for username inserted then enable site?21:12
=== lea_ is now known as lea
iNshas anyone managed to get a simplest pptp tunnel going on? im having some dafuq moments ;) http://paste.ubuntu.com/12202197/21:27
RevertToTypeim having some difficulties setting up ubuntu server to automatically pull down an ip, if after boot I run sudo dhclient wlan0 it's all good, how can i automate that (is there a normal way in network/interfaces?)21:35
fishcookeri have keyauth enabled on sshd config .. how to show whois login through accepted key when one account login has many authorized keys?21:37
RevertToTypecould be as simple as post-up dhclient wlan0?21:43
beisnercoreycb, fyi - kilo proposed pushed to kilo updates.  http://reqorts.qa.ubuntu.com/reports/ubuntu-server/cloud-archive/kilo_versions.html21:44
coreycbbeisner, thanks!21:45
beisnercoreycb, likewise, yo.21:54
sarnoldiNs: is that tunneled through ssh?21:58
iNssarnold, no its not, i figured now its a problem with chap secrets i think, http://paste.ubuntu.com/12202341/21:59
iNsthats server side log snippet21:59
sarnoldiNs: interesting. (the bit about /dev/pts/3 made me think it was like the old days when we'd run ppp over ssh..)22:00
iNsits 2 xen VM hosts, connection is about to take place between 2 VMs on each of those22:02
iNsevery art/tut says something idfferent, any chance u could guide me to the 'proper' chap-secrets structure both server and client wise?22:04
sarnoldiNs: looks like the format is "username servername password ip_address" with single spaces bewtween them22:06
iNsyea i know, that is the point22:07
iNsive followed the man's and ugh22:07
iNsthis is weird22:07
sarnoldiNs: something that picky might also get confused if you have any trailing spaces at the end of the line, it might be worth looking for those, and probably the file needs to end with a newline22:07
sarnoldare there any strange chars in the username, service name, or password?22:07
sarnoldI'm having trouble figuring out what the service name ought to be -- but the guide on the ubuntu community wiki suggests that * also works there :)22:08
iNsthe serivice name should be pptpd, should the chap secrets on the server be identical to the one on the client?22:09
iNsthe service name in chap-secrets should be equal to the remotename send by request from the client22:10
sarnoldiNs: hmm, the digitalocean guide suggests the client username and password ought to be stored in an /etc/ppp/peers/ file22:13
RevertToTypeso like what do i need to do to fire off dhclient at startup is there a entry i can just throw into network/interfaces or is there some other official way or is it literally throwing a script into rc#.d22:20
RevertToTypemy network/inferfaces file def. has dhcp in the second line... no clue why my card isn't pulling down an ip address until i run dhclient manually\22:21
iNssarnold, hm, corrected it exactly like that tut says and nothing ;o22:22
sarnoldRevertToType: anything in any logs? dmesg? syslog?22:22
RevertToTypenothing seems amiss22:23
RevertToTypelike no errors or anything22:23
RevertToTypeit's just like it's not running22:23
sarnoldiNs: logs on both client and server look unchanged?22:23
sarnoldRevertToType: do you have an 'auto' stanza for tht nic?22:23
RevertToTypeauto wlan022:23
RevertToTypenext line is iface wlan0 inet dhcp22:24
iNsRevertToType,  u mean 'iface eth0 inet dhcp; ?22:24
RevertToTypethen my pre-up supplicant22:24
sarnoldwireless? hmm22:24
iNssarnold, yea O_o22:24
RevertToType@ iNs nope it's my wireless card and that's the dev22:24
sarnoldiNs: check permissions? sshd at least is pretty picky, maybe pptpd is picky too :)22:24
RevertToType@ iNs would "wireless-mode Managed" in the interfaces file be useful... ?22:27
iNsafter the wlan0 inet dhcp line, u can try having ssid key and managed mode yea22:30
RevertToTypei have the ssid/key and all that in a pre-up wpa_supplicant thing22:30
RevertToType(WPA2, AES, Hidden ssid, ... i know this isn't making it easy)22:31
RevertToTypeand it didn't work (adding the managed line)22:31
=== jgrimm is now known as jgrimm-away
RevertToTypeblech now lets say i just wanted to add that simple line (dhclient wlan0) to the end of my strup... used to be rc.local ... no clue what it is now, where do i put this rubbish?22:38
sarnoldRevertToType: /etc/rc.local should still work22:38
RevertToTypein the interest of being like "hrm" I don't see such a file22:39
sarnoldgranted, if you put it at the end, any services that should bind to that interface that are started via startup scripts will probably also fail22:39
RevertToTypeso what do?22:39
sarnoldinteresting, the file I've got there is reported as unowned by dpkg -S /etc/rc.local22:40
RevertToTypehrm there it is22:40
RevertToTypeoi vey22:40
sarnoldtry using it anyhow. add an 'exit 0' as the last line, #!/bin/sh -e  as the first line, mode 755 root:root:22:40
iNssarnold, purged everything and done from scratch - same thing22:42
sarnoldiNs: dang. if it were mine to solve I'd use strace on both client and server and hope it leaves some clues behind. reading strace output isn't much fun but might give an idea where things go astray22:44
RevertToTypeit didn't work22:45
* RevertToType scratches her head22:45
RevertToTypethis is so utterly baffling22:45
iNswelcome to the baffled club RevertToType lul22:45
prudentmavwhere if the file located that runs when a new user is created?  Wanting to create a public_html folder in their home directory, install october cms and then create file for sites-available folder then enable the site22:45
prudentmavwhere is*22:46
RevertToTypeso like techincally i should be able to run rc.local as if it were any other script right?22:46
RevertToTypeI should be able to ./rc.local and execute it if all goes according to plan yes?22:46
sarnoldprudentmav: /etc/skel for the public_html, /usr/local/sbin/adduser.local for the adduser site-local customizing22:46
sarnoldRevertToType: mostly22:46
RevertToTypei'm geting a !/bin/sh not found O_O22:46
prudentmavthanks sarnold22:47
RevertToTypewhen i attempt to run it from terminal (cause why not)22:47
sarnoldRevertToType: the startup environment is typically very different from a logged-in-user's environment. so something that works perfect as a logged in user may not work well when booted.22:47
* RevertToType nods22:47
sarnoldRevertToType: #!/bin/sh ?22:47
RevertToTyperunning it from command thrwos that error however it properly executed dhclient22:47
RevertToTypebut didn't on boot22:47
RevertToTypeas i said baffling22:47
sarnoldand it's root:root, mode 755?22:48
RevertToTypedef mode 75522:48
RevertToTypehow do i tell the first part?22:48
sarnoldls -l /etc/rc.local22:48
RevertToType-rwxr-xr-x 1 root root 319 (?WHAT?)22:49
sarnoldRevertToType: that means 755, one hardlink, owned by user root, group root, 319 bytes22:50
RevertToTypeso it should be all good22:51
RevertToTypeno clue why it hates me22:51
sarnoldyes :)22:51
RevertToTypehonestly getting this thing to even connect to the freaking wireless was a chore22:51
RevertToTypelike not a single tutorial i walked through worked until i just started parsing out as much as i could from arch and debian tutorials :V22:51
* RevertToType drools staring at the screen22:54
RevertToTypethis has made me feel more and more incomprehensibly dumb every second22:54
sarnoldit shouldn't22:55
sarnoldwireless is miserable22:55
sarnoldthe debian networking configuration is miserable22:56
sarnoldcombined they are very miserable.22:56
* RevertToType continues to drool22:56
RevertToTypebut now we're not even talking about wireless22:56
sarnoldI know I got it working a decade back on a laptop, but, as much as I detest network-manager, it does seem to more or less mostly work on wireless things. :/22:56
RevertToTypewe're talking about a single command that does run in terminal a-ok22:56
RevertToTypebut doesn't in a startup script22:57
RevertToTypeand oh god yes, even with a wm i had a dog of a time on ub9.04 and my old netbook22:57
RevertToTypei remember the nightmares22:57
RevertToTypedo i need to do like update-rc.d or something?22:58
RevertToTypei mean i shouldn't have to but at this point you could tell me 'create a script that just forks endlessly' and i'd believe it22:58
sarnoldRevertToType: /etc/rc.local should be run by /etc/init.d/rc.local during boot without any real effort on your part23:01
sarnoldRevertToType: pastebin your script?23:01
RevertToTypeack systemd might be the ish?23:01
RevertToTypeno need to paste (excluding commented lines)23:01
RevertToType!/bin/sh -e23:02
RevertToTypesudo dhclient wlan023:02
RevertToTypeexit 023:02
sarnoldthat first line needs the #!23:02
sarnoldthe kernel is looking for those two bytes, they've got to be there. :)23:03
RevertToTypemy brain23:03
sarnoldtake out the 'sudo', it's already running as root..23:03
RevertToTypeit was a second add after the first 2 failures :V23:03
sarnoldand it'd be best to give the full path to dhclient, the PATH is often very constrained during boot scripts.23:03
RevertToTypeoh yeah23:03
RevertToTypefreaking staring at this screen has made me dumb and just near constant callllll/interruptions23:04
iNsi am as well pulling my hair out23:05
iNsboth out of my head and beard now as well, thefuk23:05
RevertToTypedon't lose dat beard23:06
iNsim closer to losing my mind actually23:08
RevertToTypesarnold: no joy :/23:08
sarnoldRevertToType: alright, what went wrong? did you get any error messages logged? anything in dmesg?23:10
RevertToTypenothing relating to rc.local23:12
RevertToTypei do however see that ipv6 seems to be fine23:13
RevertToTypehrm do i need to set up some freaking dhcpconf kinda rubbish?23:13
RevertToTypei mean regardless the rc.local thing should do it23:14
sarnoldRevertToType: maybe remove all mentions of this interface from /etc/network/interfaces -- stick everything needed for it in the /etc/rc.local -- modprobe whatever modules are needed, add the iwconfig and wpa_supplicant and dhclient commands there manually..23:15
iNssarnold, you wont believe it23:19
tewardsarnold: ping23:20
iNsby habit, even simple passwords of mine, containt numerical/special characters ...23:20
teward(apologies for duplicate posts, laggggggggggy)23:20
sarnoldheya teward23:20
iNssarnold, using a simple password fixed it, lawl23:20
sarnoldiNs: .. which oddball charcter broke this? :)23:20
iNsim gonna check it now lol for test purposes23:20
* iNs knocks his head23:21
sarnoldiNs: and worse yet.. dare look at the code and see if it's exploitable? :)23:21
tewardsarnold: http://dark-net.net/?p=100 <-- the landscape-and-gitlab headache.  hoping to god i can find a replacement CPU for my ESXi box :/23:21
teward(it's still not 100% fixed :/)23:21
tewardrbasak: FYI: nginx ppa builds delayed due to other (private business) builds that are taking an emergency-priority leve.23:22
iNssarnold, # breaks it23:24
iNs: d23:24
sarnoldiNs: haha, probably killed by a comment parser in an earlier pass..23:24
sarnoldteward: nice :)23:24
sarnoldteward: man there's a lot of fiddly things to change there23:25
iNswasted so much time for this ;d23:25
RevertToTypeapparently ub15.04 is using systemd and upstart ... perhaps it's time to look into that for this one simple stupid command23:25
tewardsarnold: yeah, the Apache redirs don't help23:25
teward(change the port, port redirs are still enforced by Landscape, even if the baseurl isn't set as such)23:26
tewardLandscape used to be on my ESXi box23:26
tewardas a VM23:26
tewardthen the CPU died23:26
teward(we need ARM landscape-server xD)23:26
teward(then my RPi can be my Landscape server xD)23:27
sarnoldRevertToType: pitti put this together, it's been useful reading for me https://wiki.ubuntu.com/SystemdForUpstartUsers23:27
sarnoldheh, would an rpi have the ram to make it work? :)23:27
RevertToTypenice i'll poke into that... gotta run but sarnold thank you so much for your help23:28
tewardsarnold: potentially?  Landscape never ate more than 768MB on my system, but meh23:28
tewardsarnold: the big problem is that my ESXi box did blow up on me, without that, everything's on the converted desktop that's my Gitlab machine23:28
sarnoldRevertToType: good luck :)23:29
tewardsarnold: btw can i grab your opinion on something?23:29
* RevertToType salutes sarnold23:29
sarnoldteward: 768, that's not bad23:29
tewardsarnold: only 3 systems on it right now, the others are status:dead because ESXi23:29
tewardbut i still need your thoughts23:30
tewardas a sec team person :P23:30
iNsanyway sarnold thanks as well23:31
iNs"ridiculous solutions vol. XX"23:31
=== hxm is now known as Guest4518
sarnoldiNs: haha :)23:35
sarnoldiNs: glad you got it! your beard will thank you.23:36
iNshaha, most def23:36
iNsdamn thesis deadlines23:36
iNsgotta take a break, this thing annoyed the shit out of me lol23:36

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!