[06:53] <Knightmare> Does anyone know if it's ok to use lxd on a home server? I want to replace kvm as my main hypervisor.
[07:06] <lordievader> Good morning.
[07:32] <sysrex> Good morning everybody
[07:36] <lordievader> o/
[08:26] <ld2412> Hello guys. Can anyone help me to setup an Ubuntu Server with full disk encryption?
[08:26] <ld2412> I've been googling around but haven't find anything like a guide
[08:28] <ld2412> May be someone have a guide so please share a link
[08:28] <ld2412> Thanks
[08:28] <RoyK> ld2412: it's a choice during installation
[08:28] <ld2412> But if a rent a server (dedicated) and os is already installed
[08:29] <ld2412> I mean this case
[08:29] <RoyK> ld2412: not sure how to encrypt an existing system
[08:30] <ld2412> RoyK: nevermind. I'm sure it's possible and it's somehow connected with KVM thiing
[08:31] <TJ-> Encrypting an existing file-system using LUKS/dm-crypt?
[08:31] <ld2412> TJ-: How to decrypt hdd after a reboot?
[08:31] <ld2412> E.g.
[08:32] <TJ-> ld2412: That depends on how it was encrypted :)
[08:32] <ld2412> So, can you help me with it? :)
[08:34] <TJ-> ld2412: Give some specifics and I may be able to
[08:39] <TJ-> Ahhh... silent encryption, eh, sneaky!
[08:40] <ld2412> TJ-: I've sent you messages
[08:41] <TJ-> ld2412: Please keep the support messages in the channel so others can learn from the issue
[08:42] <ld2412> Ok
[08:42] <ld2412> So
[08:42] <ld2412> The example
[08:42] <ld2412> I rent a dedicated server
[08:42] <ld2412> It comes with default Ubuntu Server 14.04
[08:42] <ld2412> That's it
[08:43] <ld2412> Full disk encryption is needed for that server
[08:43] <ld2412> I have just ssh root shell access
[08:45] <TJ-> ld2412: OK... well first off, anyone with physical access will be able to circumvent any encryption
[08:46] <ld2412> That is clear :)
[08:46] <ld2412> But still
[08:46] <TJ-> ld2412: so what attacks are you looking to prevent. Encryption will protect the data if the server is powered off, but as soon as it powers up and is active, the block devices are available unencrypted and the key is in memory
[08:47] <ld2412> You have already named the reason - protection when server is powered off
[08:48] <TJ-> ld2412: Well, it's unusual to have a dedicated server that isn't powered on :)
[08:48] <ld2412> That is true :D
[08:48] <ld2412> But stiil, encryption is needed
[08:48] <TJ-> ld2412: that said, you can configure an initrd.img with a small ssh client that can connect out to get a key to unlock encrypted devices
[08:49] <TJ-> ld2412: it's much better to protect individual files/sets of files, if the aim is to protect personal data in, for example, databases
[08:49] <RoyK> ld2412: usually, with full disk encryption, you'll have to type a password on the console to unlock it - for a headless machine, that's a bit tricky
[08:50] <RoyK> ld2412: and storing the password in the bootup renders encryption rather useless
[08:50]  * RoyK encrypts all his data with ROT13 - twice!
[08:50] <TJ-> ld2412: If you want to protect data areas but the OS doesn't need encryption, then that makes it slightly easier since you can wait for the init system to start before needing to handle unlocking the encrypted device(s)
[08:51] <TJ-> RoyK: That is so secure with UTF-16 :)
[08:52] <RoyK> ld2412: if you're really paranoid, setup your own hardware :P
[08:52] <ld2412> I can't setup my own :)
[08:52] <lordievader> RoyK: 2x rot13 is the best security! By far.
[08:53] <lordievader> ld2412: Ain't it better to make luks containers for your critical data rather than go full disk encryption?
[08:53] <ld2412> I think FDE is better
[08:53] <ld2412> I dont mind typing a password on each reboot
[08:54] <ld2412> So
[08:54] <ld2412> Is there any guide on the internet? I haven't found one
[08:54] <RoyK> ld2412: do you have console access or just ssh? also - why so scared? the ISP will gain access if they want to
[08:54] <ld2412> I have only ssh
[08:55] <ld2412> That's my personal "features" :D
[08:55] <ld2412> Please help guys
[08:55] <TJ-> lordievader: FDE and LUKS are orthogonal. LUKS is simply a way to manage the keys of a dm-crypt device
[08:56] <RoyK> ld2412: well, as TJ- said, you can probably get sshd into the initrd to help, but setting this up on a machine without console access will be hard - I've never tried it...
[08:56] <lordievader> TJ-: I know. I was targeting encrypted lvm volumes.
[08:56] <ld2412> I one provides me with step by step guide I will thank that person via bitcoins :)
[08:56] <TJ-> ld2412: if you use FDE first of all, it won't be FDE, what it will be is root file-system file-system encryption. you'll need a separate unencrypted /boot/ file-system containing GRUB and the kernels/initrd.img
[08:57] <RoyK> ld2412: why on earth would you bother with encrypting the root?
[08:57] <ld2412> Of course boot leaves unecrypted
[08:58] <ld2412> I am a bit more than average user, so not all the things you guys say are clear
[08:58] <TJ-> ld2412: install a sttically linked ssh client in the initrd, that is hard-coded to contact your key-server via a key-script, and then crypsetup's cryptroot update-initramfs scripts can do the rest
[08:58] <RoyK> ld2412: this is a bit on the advanced side ;)
[08:59] <ld2412> RoyK: That is why advanced help is needed :)
[08:59] <TJ-> ld2412: some people install dropbear in the initrd, the micro-ssh-server, and have it wait for incoming connections from a key-delivery system, also, but I prefer the call-out method
[09:00] <lordievader> Personally I don't think it is worth the trouble.
[09:01] <TJ-> ld2412: I've been working on ssh support in GRUB so GRUB's LUKs encryption can be used remotely too, to allow the /boot/ file-system to be remotely unlocked. Currently it requires console access to unlock GRUB's root file-system
[09:02] <ld2412> TJ, would you like to help me tet-a-tet and I will pay your time?
[09:02] <ld2412> Hourly
[09:02] <ld2412> :)
[09:03] <TJ-> ld2412: no thanks, I've got enough of my own to do
[09:04] <TJ-> ld2412: pro tip... practice in a simple local VM guest until you're confident it works and you understand it
[09:07] <ld24121> Sorry, my interned connection failed and I was disconnected
[09:07] <TJ-> With servers that my contain confidential info a better solution is to use per-application encryption that encrypts its data before writing to disk, such as in databases, so even if the files are compromised the contents are safe
[09:53] <Celphish> Hello everyone!
[09:53] <Celphish> Got a quick question for you:
[09:54] <Celphish> If I have a server, on which I run a very important web-service for our business, and I want to add two drives to fstab and then type "mount -a", will anything be interrupted or will the new drives just be added?
[09:54] <lordievader> The second.
[09:55] <Celphish> lordievader: so mount -a doesn't do anything to the already mounted?
[09:55] <lordievader> No.
[09:59] <Celphish> not that I don't believe you lordievader but I need to be 200% sure, can someone confirm?
[10:00] <dasjoe> A "very important web-service" should be built in a redundant way
[10:02] <TJ-> Celphish: test it locally
[10:22] <rbasak> magicalChicken: how do you feel about bug 869017? Are you happy to post to ubuntu-devel?
[10:27] <RoyK> Celphish: well, of course, I use it regularly, but as dasjoe says, make it redundant
[10:30] <rbasak> mdeslaur: around? I'm looking at sponsoring bug 1394403 - as you're looked at it before I'd like your opinion please.
[10:31] <rbasak> when I asked magicalChicken to look at it I didn't realise the upstream fix would add a configuration directive. But it looks like it's safe as it defaults to the same behaviour. Had you considered this already? Does it also look reasonable to you?
[10:31] <rbasak> I also think we should include the documentation update in our backport - better than not having it in the SRU IMHO.
[10:34] <rbasak> smoser: reminder to look at bug 1481337 when you can please.
[10:35] <rbasak> smb: thank you for driving bug 1483214! Looking good.
[10:36] <smb> rbasak, np, should be getting out as this cycle closes
[11:10] <mdeslaur> rbasak: I'm ok with the new config option...I've added options before to packages as security updates, so it's not like we haven't done it before. The option will change the behaviour though, but cases where it will break something are unlikely
[11:10] <mdeslaur> rbasak: for the documentation, meh...if it were man pages, I'd push for it...but the static web documentation, meh
[11:10] <mdeslaur> rbasak: especially since there are localized versions of the documentation and we'd only be updating the english version
[11:11] <Azaril> hello
[11:11] <Azaril> i cant get random_delay to work in /etc/crontab
[11:11] <mdeslaur> rbasak: the only thing is perhaps add what the option is and how the default has changed to the changelog
[11:13] <Azaril> http://pastie.org/10376721
[11:13] <Azaril> every job runs exactly on the minute
[11:14] <Azaril> that its "supposed" to
[11:16] <rbasak> mdeslaur: OK. Thanks!
[11:25] <jpds> Azaril: No mention of RANDOM_DELAY on "man crontab"
[11:48] <SeerKan`> Hi guys
[11:48] <SeerKan`> If I mount a gluster volume from server1 with server2 as backup with the fuse mount, I understand that once server1 is down it will use server2 automatically. But what happens when server1 is back ? will it start automatically use server1 even if it doesn't have the latest data or keep using server2 until it goes down and then go back to server1 ?
[11:51] <Azaril> jpds: having gone through a lot of google, apparently ubuntus version doesnt support it
[11:51] <jpds> Azaril: Not mentioned in the manpage. :)
[11:51] <Azaril> yeah, not in ubuntus
[11:51] <Azaril> ill have to do it by hand
[12:15] <teward> (whee wordpress exploded)
[12:15] <teward> rbasak: FYI, i've downloaded the nginx package from Debian Unstable, and am test-building it without changes before pushing to PPAs...
[12:15] <teward> so the latest 1.9.x will be 'available' via that PPA
[12:21] <rbasak> teward: sounds good. Thanks!
[12:21] <teward> has anyone seen sarnold, I think he was lookin for my writeup on my Landscape-and-Gitlab-On-the-Same-Server blog post on my headaches and solutions for everything on the same server xD
[12:21] <teward> rbasak: no problem
[12:30] <magicalChicken> rbasak: Oh, yeah, I need to ask the mailing list if they think it's a good idea. I'll send that email out this afternoon.
[12:55] <Celphish> Quick question, when I typ lsblk or fdisk -l, I see the same disk appear both as sdb and sdc, any way to get rid of sdc?
[12:56] <TJ-> Celphish: same disk? sounds like some symlinks or device nodes are stale
[12:56] <Celphish> TJ-: looks like it's the same disk yes
[12:57] <Celphish> TJ-: how do I check if it's the same, I've been fiddling with this for a few hours now, haha
[12:58] <RoyK> Celphish: do you have multipath somehow?
[12:58] <TJ-> Celphish: there are symlinks under /dev/disk/   check out "ls -l /dev/disk/by-id/" and look at the names/serial numbers and where the symlink points to, and follow the trail
[12:59] <RoyK> Celphish: I've seen same disk appearing twice if it's connected on multipath
[12:59] <RoyK> Celphish: if that's the case, setup multipath in linux
[13:01] <beisner> hi coreycb, ready for me to push from proposed to updates in Kilo cloud archive?  FYI, this is the proposed vs. current updates list:  http://paste.ubuntu.com/12199098/
[13:02] <coreycb> beisner, probably should wait until after 4:30 pm to officially have it in proposed for +7 days
[13:02]  * beisner moves finger off the trigger
[13:02] <beisner> coreycb, gotcha
[13:03] <coreycb> beisner, the list looks good, thanks!
[13:03] <Celphish> RoyK: well, it was used faulty before, I haven't used it though.. When I did what TJ- said, it looks like one number points to sdc, and then the same number with the addition of "-part1" points to sdb1...
[13:04] <beisner> coreycb, ok thanks for confirming.  I'll push later today.
[13:08] <TJ-> Celphish: is it using multipath? how is the device connected?
[13:08] <TJ-> Celphish: also, check "/var/log/kern.log" and look at the messages when those devices are added by the kernel, that might give a clue
[13:09] <Celphish> TJ-: not sure tbh, think it's connected with fiber optic cable somehow
[13:09] <RoyK> Celphish: pastebin output of 'smartctl -i /dev/sdc' and similar for sdb
[13:12] <Celphish> RoyK: not installed on the server, smartctl, not sure I want to install it either since it's a production server
[13:13] <TJ-> Celphish: possibly "sudo dmsetup info" might give come clues
[13:13] <Celphish> TJ-: no devices found
[13:13] <TJ-> resort to the logs then :)
[13:16] <RoyK> Celphish: it should be installed :)
[13:16] <RoyK> Celphish: install smartmontools
[13:16] <RoyK> Celphish: it's very nice for monitoring and reporting things
[13:17] <Celphish> RoyK: I'm just a tad restrictive when it comes to install anything on a server that's in use by all our customers atm
[13:17] <RoyK> Celphish: it comes with smartd, monitoring physical disk health
[13:17] <RoyK> well, uninstall it later, then
[13:27] <Celphish> TJ-: there are some interesting entries in the log but I'm not sure what they mean, haha :D
[13:27] <Celphish> alot of "device-mapper........ error getting device
[13:27] <Celphish> with a "multipath" in between
[13:27] <Celphish> but we've flushed all mp, there are none left
[13:32] <TJ-> Celphish: looks like stale device references then, not sure how they aren't identical though
[13:32] <TJ-> Celphish: you'd expect sdb sdb1 sdc sdc1 really
[13:51] <Celphish> TJ-: ye, that's what I suspected too... but how do I correct / remove stale references?
[13:52] <TJ-> Celphish: remove the nodes
[13:52] <TJ-> Celphish: and any sym-links of course
[13:55] <Celphish> TJ-: sorry for lacking the knowledge, but please elaborate on how
[13:56] <TJ-> Celphish: if you're not familiar with such basic tasks, I would recommend getting a capable sysadmin to deal with it. you said it is a production server.
[14:11] <rbasak> rharper: around? I'd like to talk about bug 1481289.
[14:11] <rharper> rbasak: here
[14:12] <rbasak> rharper: thank you for investigating the bug. It's turned out to be much more complicated than applying a simple patch (don't they all!) but at least that's clear now so it doesn't look like we're just ignoring people sending patches.
[14:12] <rbasak> rharper: I'd like to either get an SRU landed though, or drop it off my list for driving.
[14:13] <rharper> rbasak: indeed;  it's rather complicated w.r.t what's actually needed
[14:13] <rbasak> rharper: ah, so it's not a "minimal fix", right?
[14:13] <rharper> there's nothing definitive in the referenced bugs that cleanly applies
[14:13] <rbasak> OK
[14:13] <rharper> and the upstream versions that are fixed are rather significantly modified in that area
[14:13] <rbasak> The bug status should still be Triaged though - as it's about whether the bug is valid rather than if we have a readily available fix.
[14:13] <rharper> they went through a number of iterations to get things working right
[14:14] <rharper> ah, ok
[14:14] <rbasak> I gave you the bug because I thought it was trivial, rather than because it has a large user impact.
[14:14] <rharper> sure
[14:14] <rbasak> So I think it's fine to drop it on that basis, while inviting others to provide a minimal patch for SRU.
[14:15] <rharper> right, if we get a simpler patch (or any set of patches) I'd be happy to re-review that for SRU
[14:15] <rbasak> Could you maybe explain what you think is required to drive the bug further in the bug itself, and then withdraw and unassign yourself? Assuming we don't want to work on it ;)
[14:15] <rharper> rbasak: sure
[14:16] <rbasak> Thanks!
[14:16] <rbasak> rharper: is there anything you're waiting on me for BTW? I'm trying to go through all the bugs I'm tracking but don't see anything else from you on my list.
[14:17] <rharper> rbasak: no;  I have the other bug related to puppet service status that I need to pick back up but that's not waiting on you, just me
[14:17] <rbasak> OK, np. Thanks!
[14:18] <rharper> sure
[14:18] <Celphish> TJ-: well, they don't have any responsible syadmn :)
[14:30] <smmoCoffee> Is this the right channel to discuss ubuntu openstack installation as a single installer without maas?
[14:40] <rbasak> smmoCoffee: I'm not aware of a better place if it doesn't involve MAAS. Try asking your question.
[14:48] <smmoCoffee> rbasak: We're wondering if there are any recommended procedures for running openstack-install behind a proxy server
[14:51] <rbasak> stokachu: ^^ are you the right person to help smmoCoffee?
[14:51] <smmoCoffee> running it with the http-proxy argument helps, but I'm finding with a self signed certificate used by the proxy server
[14:52] <rbasak> danwest: ^^
[14:52] <danwest> stokachu, can you answer the proxy question for smmoCoffee?
[14:52] <smmoCoffee> we're the there is an insecure option that might be passed to ignore the self signed cert
[14:53] <RoyK> smmoCoffee: if you use a linux server as the router/proxy, you could setup transparent proxing
[14:54] <smmoCoffee> we have no direct access to the proxy server
[14:54] <danwest> smmoCoffee, looks like there is a proxy option [--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY]
[14:54] <smmoCoffee> logs for the bootstrap lxc container show errors with curl
[14:54] <RoyK> I've never installed openstack, so sorry
[14:55] <stokachu> smmoCoffee:we have cli options that you can set to run behind a proxy, --http-proxy and --https-proxy
[14:55] <stokachu> have a look at openstack-install --help
[14:55] <smmoCoffee> danwest: yes, that's how I'm running and that is allowing us to actually get to whitelist sites like entropy.ubuntu.com
[14:56] <stokachu> oh self signed certificate
[14:56] <RoyK> don't we just love those? ;)
[14:57] <smmoCoffee> curl: (60) SSL certificate problem: unable to get local issuer certificate
[14:57] <stokachu> yea we don't implement a way to accept insecure certificates
[14:57] <smmoCoffee> that appears in the bootstrap container clould init log
[14:57] <stokachu> whats the full command thats being run
[14:58] <stokachu> everything we query for shouldn't be pulling in any self signed certificates
[14:59] <rbasak> I get the impression that smmoCoffee has a MITM proxy that expects you to have installed its CA in every client.
[14:59] <rbasak> (or bypass warnings)
[14:59] <stokachu> yea makes sense
[14:59] <smmoCoffee> openstack-install --http-proxy $PROXY_SERVER:$PROXY_PORT --https-proxy $PROXY_SERVER:$PROXY_PORT
[14:59] <stokachu> smmoCoffee:whats the output from the log where it fails
[14:59] <stokachu> you can paste.ubuntu.com that
[15:00] <rbasak> SO I guess a proper solution is to install the CA everywhere (every container etc) where it is needed.
[15:00] <rbasak> This might need cloud-init support for an ideal solution.
[15:00] <RoyK> the proper solution is to use proper certificates
[15:01] <rbasak> An MITM SSL proxy is reasonable in a controlled environment for consenting adults IMHO.
[15:01] <rbasak> Otherwise it's just something that tunnels through firewalls defeating their ability to keep you safe.
[15:01] <stokachu> i wish the internet was more trusting
[15:01] <stokachu> so i wouldnt have to lock my doors at night
[15:01] <RoyK> stokachu: don't we all :P
[15:02] <rbasak> And being Free Software we should be free to run our own CAs if we wish. So this reduces to a feature request :)
[15:04] <smmoCoffee> just as the ubuntu pastebin  url?
[15:04] <smmoCoffee> http://paste.ubuntu.com/12199815/
[15:04] <stokachu> yea just paste it at that url and post the link here
[15:05] <smmoCoffee> Here
[15:06] <stokachu> smmoCoffee:youre running an older openstack-installer
[15:06] <smmoCoffee> Here's higher level logging from the commands.log
[15:06] <stokachu> smmoCoffee:http://ubuntu-cloud-installer.readthedocs.org/en/latest/single-installer.guide.html
[15:06] <smmoCoffee> http://paste.ubuntu.com/12199839/
[15:06] <stokachu> follow ^ that guide as that is the version that will end up in the ubuntu archives
[15:07] <smmoCoffee> ok, thanks. So we should use ppa:cloud-installer/experimental
[15:07] <stokachu> the pollinate command should work behind a proxy so I think using the latest installer fixes all that
[15:08] <smmoCoffee> stokachu: thanks for confirming
[15:09] <stokachu> np, also you can find us in #ubuntu-solutions if you need anything further
[15:51] <Knightmare> A question for those in the know. Can I replace KVM with LXD?
[15:52] <jpds> You can't just migrate from one to the other
[15:53] <teward> any landscape pros here?  (got a question about the actual Landscape Dedicated Server software)
[15:53] <Knightmare> I don't want to migrate. I was just wondering if I could use lxd instead of KVM.
[15:55] <shauno> it depends what for.  you can use a shoe as a hammer, but not a hammer as a shoe.
[15:55] <jpds> teward: Yes
[15:58] <teward> jpds: what part of LDS listens on 8080?  And is it possible to make it listen elsewhere
[15:58] <jpds> teward: I think that's the appserver
[15:58] <teward> (say, 28080 or similar, because portconflicts)
[15:58] <jpds> teward: Why do you already have something on there?
[15:58] <RoyK> Knightmare: some prefer lxd over KVM - it will share resources better, but IMHO, KVM is nice
[15:59] <teward> jpds: good question, it's more a hypothetical question :p
[15:59] <teward> jpds: because it's an experimental system, so exploring it is different than production deployment
[15:59] <teward> there's quite a lot of cruft there
[15:59] <teward> (experimentation vlans ftw)
[15:59] <jpds> teward: I always install LDS on a new VM
[16:00] <teward> jpds: remove VM from the equation - my ESXi box that runs VMs decided to blow up on me
[16:00] <teward> so i'm still hunting a replacement/warrantyfix
[16:00] <teward> (so it's on a barebones test system for now)
[16:00] <teward> i was more curious what's listening on 8080 rather than changing the port :P
[16:01] <jpds> Right
[16:01] <jpds> teward: Apache just mod_proxy's stuff to the relevant component/appserver based on URL
[16:02] <teward> right, which i discovered is fine, except for when you have one IP, many domains, then you need reverse proxies :/
[16:02] <teward> (I am also NOT an apache guru :P)
[16:02] <teward> jpds: a lesson in how NOT to run things: I am temporarily putting LDS on my gitlab barebones box :/
[16:02] <teward> 8080 is conflicted because Gitlab's Unicorn is on 8080
[16:02] <teward> (I fixed that easy)
[16:02] <jpds> Ew
[16:03] <teward> as i said
[16:03] <teward> my esxi box decided to nuke itself :/
[16:03] <jpds> KVM is lovely :-)
[16:03] <teward> making it WORK is not hard once you fix the port conflict
[16:03] <teward> mmm
[16:03] <teward> indeed
[16:04] <teward> jpds: too bad it doesn't like this box
[16:04] <teward> in either case - http://dark-net.net/?p=100 is my musings and discovery
[16:04] <jpds> teward: Why doesn't it like that box?
[16:04] <teward> jpds: old
[16:04] <teward> (old converted desktop, my guess is virtualization isn't present in BIOS/CPU chipset
[16:04] <teward> oh
[16:04] <teward> jpds: interesting tidbit...
[16:04] <Knightmare> RoyK: Thanks for the advice!
[16:04] <jpds> So, ESXi isn't painful for you?
[16:05] <teward> jpds: landscape-client refuses to recognize valid SSL on a Landscape server
[16:05] <RoyK> Knightmare: IMHO KVM (or other virtualisation software) is far better in security terms - it's total isolation, not merely smart chrooting
[16:05] <teward> (i.e. a valid SSL cert from an SSL certificate provider)
[16:05] <jpds> teward: Weird
[16:05] <teward> jpds: it required me to copy in the CA chain and provide it via the cli arguments
[16:05] <teward> jpds: that *may* be a bug, but meh
[16:05] <teward> (it's a Comodo wildcard cert)
[16:05] <jpds> teward: It'll use whatever the Ubuntu ca-certificates uses
[16:06] <teward> weird because curl worked fine to recognize the SSL as valid
[16:06] <teward> landscape-client didn't
[16:06] <teward> (so did Firefox, and Chromium, and w3m even)
[16:06] <teward> also a funny story about Landscape - things run in KVM are sometimes NOT recognized as a VM
[16:07] <teward> and as barebones hardware instead
[16:07] <jpds> teward: landscape-client uses gnutls instead of openssl, which is slightly more stricter about certs
[16:07] <teward> mmm
[16:07]  * teward shrugs
[16:07] <jpds> teward: Yeah, did you expose the host cpu flags to the guest?
[16:07] <teward> jpds: wasn't my system, the other sysadmin set that one up
[16:07] <teward> :/
[16:08] <teward> my guess is 'maybe'?
[16:08] <teward> my experimental test instances only have VMs
[16:08] <teward> well...
[16:08] <teward> jad.
[16:08] <teward> had*
[16:09] <Knightmare> RoyK: I've got a HP Microserver and just want to make the most of the resources.
[16:09] <teward> jpds: another question if you have a moment - any way to get more than those 20 free licenses?  I assume one has to buy the advantage licenses, but my question is are they the same price, or do the prices on the canonical store reflect the Canonical-run Landscape instance?
[16:10] <RoyK> Knightmare: what sort of cpu? how much memory?
[16:10] <jpds> teward: You have to buy licenses
[16:10] <Knightmare> RoyK: http://n40l.wikia.com/wiki/Base_Hardware_N54L
[16:11] <teward> jpds: i know that, but are they the same licenses listed on the Ubuntu Advantage pages, or does one reach to Canonical Sales about pricing
[16:12] <RoyK> Knightmare: if kvm doesn't do the job, try lxc, or get some better hardware ;)
[16:12] <jpds> teward: talk to sales
[16:13] <teward> ok
[16:13] <teward> jpds: thank you!
[16:13] <Knightmare> RoyK: I don't need serious hardware for what I want to run. Just want to be a efficient as possible :)
[16:15] <RoyK> Knightmare: lxc is probably the best thing for that
[16:17] <Beret> teward, do you have an account on landscape.canonical.com?
[16:17] <Beret> teward, the hosted Landscape?
[16:37] <rbasak> jgrimm: I agree with you on bug 1397250 - I'd like *someone* (even if it's the reporter) to be able to reproduce it, or at least still be affected by it, before we attempt an SRU.
[16:41] <jgrimm> rbasak, thanks.. i was going to ping you for opinion on that. hopefullly someone can actually recreate the bug..
[16:43] <jgrimm> rbasak, i find it rather curious that the test reproducer didn't even hit the function that is patched as part of the fix when i enabled debugging.
[16:43] <jgrimm> rbasak, but has been an excellent learning exercise none-the-less
[16:44] <teward> Beret: no, Landscape Dedicated Server, the personal-run one
[16:44] <teward> NOT the cloud landscape.canonical.com
[16:44] <teward> if I had the hosted landscape I'd have a support ticket in, not asking questions here :)
[16:46] <jgrimm> rbasak, would this actually be SRU'able even?  I can't think that this is hitting that many folks..
[16:47] <rbasak> jgrimm: if someone's actually impacted (rather than it being theoretical) then I wouldn't block doing an SRU on that basis (though time and resource is a separate thing, I'm always happy for an affected user to drive).
[16:48] <rbasak> jgrimm: OTOH, if we can't actually find anyone impacted because it's theoretical or that person has moved on and doesn't trigger it any more, then I see no point in risking regression by doing an SRU.
[16:48] <rbasak> That's my personal opinion, anyway.
[16:48] <jgrimm> rbasak, that's my concern too
[17:19] <teward> mmm... jpds, Beret: did either of you invite me to landscape.canonical.com for some reason?
[17:20] <Beret> teward, yes, do you not see my private messages?
[17:20] <jpds> teward: He's onto you
[17:20] <teward> Beret: +g
[17:20] <teward> (i get too much PM spam, being an op in bitcoin chans)
[17:20] <Beret> eh?
[17:20] <Beret> ah
[17:20] <teward> (so I have umode +g on, which blocks PMs)
[17:21] <Beret> not ideal
[17:21] <teward> Beret: feel free to resend if you wish :)
[17:21] <Beret> :)
[17:21] <Beret> paste coming your way
[17:21] <teward> Beret: getting spammed by 300+ bots is less ideal
[17:21] <Beret> resent
[17:21] <Beret> get it this time?
[17:26] <teward> Beret: yep!
[17:52] <smmoCoffee> hi, question about installing openstack per the single installer guide http://ubuntu-cloud-installer.readthedocs.org/en/latest/single-installer.guide.html
[17:54] <smmoCoffee> the top level container is failing to initialize
[17:57] <smmoCoffee> a process execution error is thrown where the single_install python script tries to run pollinate command
[18:10] <kirkland> smmoCoffee: the pollinate command should fail gracefully, quietly
[18:11] <kirkland> smmoCoffee: is it not?
[18:11] <kirkland> smmoCoffee: can you paste some logs?
[18:13] <acmehandle> I have a dump question.  I'm running nginx.    I set up a self signed certificate a few months ago.  everything worked great.  I checked it against site certificate ssl/tls checkers and it was getting high marks.    I bought a certificate and I guess I used the wrong key or something.  I forgot the whole process from a few months ago.  Right now I keep getting the same self signed certificate warning in the browser.
[19:11] <pmatulis> acmehandle: check the nginx documentation to be sure
[19:15] <smmoCoffee> kirkland: here's the commands.log http://paste.ubuntu.com/12201532/
[19:17] <kirkland> smmoCoffee: so, first, I should mention that https_proxy=http://129.165.60.148:80 is a really bad idea, from a security perspective
[19:17] <SCHAAP137> acmehandle, it might be that the selfsigned cert is still in your /etc/nginx/nginx.conf, while you defined the website and its new "legit" certificate in a config file in /etc/nginx/sites-enabled/
[19:18] <acmehandle> Yes, seems I was passing the old csr to the cert issuer
[19:18] <acmehandle> Had to regenerate new server.key and new server.csr
[19:18] <kirkland> smmoCoffee: next, can you try adding "-i" to the list of pollinate flags?
[19:19] <acmehandle> now I have an ocsp server has not status of certificate.  But that appears to be that it requires to take a little time to resolve with the CA or something.
[19:21] <SCHAAP137> make sure to use an SHA-2 hashing function for the CSR, or your Chrome users will get the SHA-1 security warning when visiting the site
[19:21] <acmehandle> Yes, Sha256 2048
[19:21] <SCHAAP137> cool
[19:21] <SCHAAP137> you could also generate custom DH parameters
[19:21] <smmoCoffee> kirkland: so try running the installer as: openstack-install --upstream-ppa --https-proxy=http://129.165.60.148:80 -i
[19:21] <acmehandle> I was thinking of going all the way to 11 by using 4096...but in todays world I dont know if anyone cares
[19:22] <SCHAAP137> strengthens it a bit more
[19:22] <SCHAAP137> i use 4096 for mine
[19:22] <acmehandle> Oh, cool.
[19:22] <kirkland> smmoCoffee: sorry, no
[19:22] <acmehandle> I generated a dhparam.pem using 4096
[19:22] <acmehandle> dont know if that matters,
[19:22] <SCHAAP137> getting the 100/100/100/100 mark on ssllabs.com is not that hard either
[19:22] <acmehandle> or if it will cause a problem
[19:22] <acmehandle> Not if you have a vague idea of what youre doing   :-)
[19:23] <acmehandle> Which is pretty much what I have
[19:23] <acmehandle> But as long as its secure I dont care.
[19:23] <SCHAAP137> hehe, if you're using a 2048 bit cert, 2048 bit dhparams would be sufficient, but more is even better
[19:23] <SCHAAP137> generally speaking
[19:23] <SCHAAP137> as long as it's not less
[19:24] <acmehandle> This was really more of an exercise for me.  To gain some experience.  But with everyone moving to clouds I dont know if anyone cares anymore.  Besides me.
[19:24] <patdk-wk> getting 100/100/100/100 and maintaining a USABLE site, is hard :)
[19:24] <smmoCoffee> kirkland: where/how is the pollinate flag "-i" passed or configured?
[19:24] <acmehandle> Do you have ocsp as well SCHAAP137?
[19:24] <kirkland> smmoCoffee: it's in the cloud-init userdata
[19:25] <SCHAAP137> in apache i got OSCP to work, but with my current setup OCSP fails, haven't figured out why yet
[19:25] <kirkland> smmoCoffee: sorry, I don't know about the openstack-install
[19:25] <SCHAAP137> i got HPKP though
[19:25] <SCHAAP137> current *nginx setup
[19:25] <SCHAAP137> might be SNI related, not sure
[19:26] <SCHAAP137> if you want the CHACHA20-POLY1305 ciphersuites, you could recompile nginx with LibreSSL btw
[19:26] <acmehandle> Has it been 12-24 hours?  My 'resources' inform me that in some cases thats how long it takes to resolve.  I just got it to this point a few minutes ago
[19:26] <acmehandle> Do I need it?
[19:26] <acmehandle> I dont even know anymore.
[19:27] <SCHAAP137> hmm, really? i might just have been impatient
[19:27] <SCHAAP137> OCSP could protect your clients from some forms of MITM, theoretically
[19:27] <acmehandle> So I have read.
[19:28] <acmehandle> Some of what I've read says that with chrome the sites work right away. Firefox often has that delay with ocsp
[19:28] <SCHAAP137> it would require quite a skilled attacker though
[19:28] <acmehandle> I just opened up chrome and was able to access my site.  So that confirms taht much of the theory
[19:29] <acmehandle> How does a MITM attack work nowadays?  Are all those points out there that insecure that someone can break in to them?
[19:29] <acmehandle> I'm naive about this.
[19:29] <SCHAAP137> one could employ this: https://mitmproxy.org/
[19:30] <acmehandle> I just know to try to plug up whatever vulnerabilities I might have
[19:31] <patdk-wk> ocsp only protects you from a revoked certificate
[19:32] <patdk-wk> so, you have to know your certificate was compromised
[19:32] <patdk-wk> and revoke it
[19:32] <patdk-wk> before using oscp gains you any protection
[19:37] <smmoCoffee> kirkland: looks like openstack-install uses configuration found in ~/.cloud-install/userdata.yaml for the pollinate command
[19:50] <SCHAAP137> allright, got OCSP working now as wlel
[19:50] <SCHAAP137> *well
[21:12] <prudentmav> I'm new to server admin... Just created a vps at digitalocean with a lamp stack.  When I use adduser, is there a way to have a few additional things happen when a new user is created?  for example, in addition to creating the user, it creates a folder coping contents from a temp folder for the temp landing page then create a file in sites-available from template with variable for username inserted then enable site?
[21:27] <iNs> has anyone managed to get a simplest pptp tunnel going on? im having some dafuq moments ;) http://paste.ubuntu.com/12202197/
[21:35] <RevertToType> im having some difficulties setting up ubuntu server to automatically pull down an ip, if after boot I run sudo dhclient wlan0 it's all good, how can i automate that (is there a normal way in network/interfaces?)
[21:37] <fishcooker> i have keyauth enabled on sshd config .. how to show whois login through accepted key when one account login has many authorized keys?
[21:43] <RevertToType> could be as simple as post-up dhclient wlan0?
[21:44] <beisner> coreycb, fyi - kilo proposed pushed to kilo updates.  http://reqorts.qa.ubuntu.com/reports/ubuntu-server/cloud-archive/kilo_versions.html
[21:45] <coreycb> beisner, thanks!
[21:54] <beisner> coreycb, likewise, yo.
[21:58] <sarnold> iNs: is that tunneled through ssh?
[21:59] <iNs> sarnold, no its not, i figured now its a problem with chap secrets i think, http://paste.ubuntu.com/12202341/
[21:59] <iNs> thats server side log snippet
[22:00] <sarnold> iNs: interesting. (the bit about /dev/pts/3 made me think it was like the old days when we'd run ppp over ssh..)
[22:02] <iNs> its 2 xen VM hosts, connection is about to take place between 2 VMs on each of those
[22:04] <iNs> every art/tut says something idfferent, any chance u could guide me to the 'proper' chap-secrets structure both server and client wise?
[22:06] <sarnold> iNs: looks like the format is "username servername password ip_address" with single spaces bewtween them
[22:07] <iNs> yea i know, that is the point
[22:07] <iNs> ive followed the man's and ugh
[22:07] <iNs> this is weird
[22:07] <sarnold> iNs: something that picky might also get confused if you have any trailing spaces at the end of the line, it might be worth looking for those, and probably the file needs to end with a newline
[22:07] <sarnold> are there any strange chars in the username, service name, or password?
[22:08] <sarnold> I'm having trouble figuring out what the service name ought to be -- but the guide on the ubuntu community wiki suggests that * also works there :)
[22:09] <iNs> the serivice name should be pptpd, should the chap secrets on the server be identical to the one on the client?
[22:10] <iNs> the service name in chap-secrets should be equal to the remotename send by request from the client
[22:13] <sarnold> iNs: hmm, the digitalocean guide suggests the client username and password ought to be stored in an /etc/ppp/peers/ file
[22:20] <RevertToType> so like what do i need to do to fire off dhclient at startup is there a entry i can just throw into network/interfaces or is there some other official way or is it literally throwing a script into rc#.d
[22:21] <RevertToType> my network/inferfaces file def. has dhcp in the second line... no clue why my card isn't pulling down an ip address until i run dhclient manually\
[22:22] <iNs> sarnold, hm, corrected it exactly like that tut says and nothing ;o
[22:22] <sarnold> RevertToType: anything in any logs? dmesg? syslog?
[22:23] <RevertToType> nothing seems amiss
[22:23] <RevertToType> like no errors or anything
[22:23] <RevertToType> it's just like it's not running
[22:23] <sarnold> iNs: logs on both client and server look unchanged?
[22:23] <sarnold> RevertToType: do you have an 'auto' stanza for tht nic?
[22:23] <RevertToType> (ub15.04, 3.19.0.26-generic)
[22:23] <RevertToType> yup
[22:23] <RevertToType> auto wlan0
[22:24] <RevertToType> next line is iface wlan0 inet dhcp
[22:24] <iNs> RevertToType,  u mean 'iface eth0 inet dhcp; ?
[22:24] <RevertToType> then my pre-up supplicant
[22:24] <sarnold> wireless? hmm
[22:24] <iNs> sarnold, yea O_o
[22:24] <RevertToType> @ iNs nope it's my wireless card and that's the dev
[22:24] <sarnold> iNs: check permissions? sshd at least is pretty picky, maybe pptpd is picky too :)
[22:27] <RevertToType> @ iNs would "wireless-mode Managed" in the interfaces file be useful... ?
[22:30] <iNs> after the wlan0 inet dhcp line, u can try having ssid key and managed mode yea
[22:30] <RevertToType> i have the ssid/key and all that in a pre-up wpa_supplicant thing
[22:31] <RevertToType> (WPA2, AES, Hidden ssid, ... i know this isn't making it easy)
[22:31] <RevertToType> and it didn't work (adding the managed line)
[22:38] <RevertToType> blech now lets say i just wanted to add that simple line (dhclient wlan0) to the end of my strup... used to be rc.local ... no clue what it is now, where do i put this rubbish?
[22:38] <sarnold> RevertToType: /etc/rc.local should still work
[22:39] <RevertToType> in the interest of being like "hrm" I don't see such a file
[22:39] <sarnold> granted, if you put it at the end, any services that should bind to that interface that are started via startup scripts will probably also fail
[22:39] <RevertToType> frick
[22:39] <RevertToType> so what do?
[22:40] <sarnold> interesting, the file I've got there is reported as unowned by dpkg -S /etc/rc.local
[22:40] <RevertToType> hrm
[22:40] <RevertToType> hrm there it is
[22:40] <RevertToType> oi vey
[22:40] <sarnold> try using it anyhow. add an 'exit 0' as the last line, #!/bin/sh -e  as the first line, mode 755 root:root:
[22:42] <iNs> sarnold, purged everything and done from scratch - same thing
[22:43] <iNs> dafuq
[22:44] <sarnold> iNs: dang. if it were mine to solve I'd use strace on both client and server and hope it leaves some clues behind. reading strace output isn't much fun but might give an idea where things go astray
[22:45] <RevertToType> it didn't work
[22:45]  * RevertToType scratches her head
[22:45] <RevertToType> this is so utterly baffling
[22:45] <iNs> welcome to the baffled club RevertToType lul
[22:45] <prudentmav> where if the file located that runs when a new user is created?  Wanting to create a public_html folder in their home directory, install october cms and then create file for sites-available folder then enable the site
[22:46] <prudentmav> where is*
[22:46] <RevertToType> so like techincally i should be able to run rc.local as if it were any other script right?
[22:46] <RevertToType> like
[22:46] <RevertToType> I should be able to ./rc.local and execute it if all goes according to plan yes?
[22:46] <sarnold> prudentmav: /etc/skel for the public_html, /usr/local/sbin/adduser.local for the adduser site-local customizing
[22:46] <sarnold> RevertToType: mostly
[22:46] <RevertToType> i'm geting a !/bin/sh not found O_O
[22:47] <prudentmav> thanks sarnold
[22:47] <RevertToType> when i attempt to run it from terminal (cause why not)
[22:47] <sarnold> RevertToType: the startup environment is typically very different from a logged-in-user's environment. so something that works perfect as a logged in user may not work well when booted.
[22:47]  * RevertToType nods
[22:47] <sarnold> RevertToType: #!/bin/sh ?
[22:47] <RevertToType> yeah
[22:47] <RevertToType> running it from command thrwos that error however it properly executed dhclient
[22:47] <RevertToType> but didn't on boot
[22:47] <RevertToType> as i said baffling
[22:48] <sarnold> and it's root:root, mode 755?
[22:48] <RevertToType> def mode 755
[22:48] <RevertToType> how do i tell the first part?
[22:48] <sarnold> ls -l /etc/rc.local
[22:49] <RevertToType> -rwxr-xr-x 1 root root 319 (?WHAT?)
[22:50] <sarnold> RevertToType: that means 755, one hardlink, owned by user root, group root, 319 bytes
[22:51] <RevertToType> so it should be all good
[22:51] <RevertToType> no clue why it hates me
[22:51] <sarnold> yes
[22:51] <sarnold> yes :)
[22:51] <RevertToType> honestly getting this thing to even connect to the freaking wireless was a chore
[22:51] <RevertToType> like not a single tutorial i walked through worked until i just started parsing out as much as i could from arch and debian tutorials :V
[22:54]  * RevertToType drools staring at the screen
[22:54] <RevertToType> this has made me feel more and more incomprehensibly dumb every second
[22:55] <sarnold> it shouldn't
[22:55] <sarnold> wireless is miserable
[22:56] <sarnold> the debian networking configuration is miserable
[22:56] <sarnold> combined they are very miserable.
[22:56]  * RevertToType continues to drool
[22:56] <RevertToType> but now we're not even talking about wireless
[22:56] <sarnold> I know I got it working a decade back on a laptop, but, as much as I detest network-manager, it does seem to more or less mostly work on wireless things. :/
[22:56] <RevertToType> we're talking about a single command that does run in terminal a-ok
[22:57] <RevertToType> but doesn't in a startup script
[22:57] <RevertToType> and oh god yes, even with a wm i had a dog of a time on ub9.04 and my old netbook
[22:57] <RevertToType> i remember the nightmares
[22:58] <RevertToType> do i need to do like update-rc.d or something?
[22:58] <RevertToType> i mean i shouldn't have to but at this point you could tell me 'create a script that just forks endlessly' and i'd believe it
[23:01] <sarnold> RevertToType: /etc/rc.local should be run by /etc/init.d/rc.local during boot without any real effort on your part
[23:01] <sarnold> RevertToType: pastebin your script?
[23:01] <RevertToType> ack systemd might be the ish?
[23:01] <RevertToType> no need to paste (excluding commented lines)
[23:02] <RevertToType> !/bin/sh -e
[23:02] <RevertToType> sudo dhclient wlan0
[23:02] <RevertToType> exit 0
[23:02] <sarnold> that first line needs the #!
[23:03] <sarnold> the kernel is looking for those two bytes, they've got to be there. :)
[23:03] <RevertToType> damnit
[23:03] <RevertToType> my brain
[23:03] <sarnold> take out the 'sudo', it's already running as root..
[23:03] <RevertToType> it was a second add after the first 2 failures :V
[23:03] <sarnold> and it'd be best to give the full path to dhclient, the PATH is often very constrained during boot scripts.
[23:03] <sarnold> :)
[23:03] <RevertToType> oh yeah
[23:04] <RevertToType> thx
[23:04] <RevertToType> oi
[23:04] <RevertToType> freaking staring at this screen has made me dumb and just near constant callllll/interruptions
[23:05] <iNs> i am as well pulling my hair out
[23:05] <iNs> both out of my head and beard now as well, thefuk
[23:06] <RevertToType> don't lose dat beard
[23:08] <iNs> im closer to losing my mind actually
[23:08] <RevertToType> sarnold: no joy :/
[23:10] <sarnold> RevertToType: alright, what went wrong? did you get any error messages logged? anything in dmesg?
[23:12] <RevertToType> hrm
[23:12] <RevertToType> nothing relating to rc.local
[23:13] <RevertToType> i do however see that ipv6 seems to be fine
[23:13] <RevertToType> hrm do i need to set up some freaking dhcpconf kinda rubbish?
[23:14] <RevertToType> i mean regardless the rc.local thing should do it
[23:15] <sarnold> RevertToType: maybe remove all mentions of this interface from /etc/network/interfaces -- stick everything needed for it in the /etc/rc.local -- modprobe whatever modules are needed, add the iwconfig and wpa_supplicant and dhclient commands there manually..
[23:15] <RevertToType> ugh
[23:19] <iNs> sarnold, you wont believe it
[23:20] <teward> sarnold: ping
[23:20] <iNs> by habit, even simple passwords of mine, containt numerical/special characters ...
[23:20] <teward> (apologies for duplicate posts, laggggggggggy)
[23:20] <sarnold> heya teward
[23:20] <iNs> sarnold, using a simple password fixed it, lawl
[23:20] <sarnold> iNs: .. which oddball charcter broke this? :)
[23:20] <iNs> im gonna check it now lol for test purposes
[23:21] <iNs> seriously
[23:21]  * iNs knocks his head
[23:21] <sarnold> iNs: and worse yet.. dare look at the code and see if it's exploitable? :)
[23:21] <teward> sarnold: http://dark-net.net/?p=100 <-- the landscape-and-gitlab headache.  hoping to god i can find a replacement CPU for my ESXi box :/
[23:21] <teward> (it's still not 100% fixed :/)
[23:22] <teward> rbasak: FYI: nginx ppa builds delayed due to other (private business) builds that are taking an emergency-priority leve.
[23:22] <teward> :/
[23:24] <iNs> sarnold, # breaks it
[23:24] <iNs> : d
[23:24] <sarnold> iNs: haha, probably killed by a comment parser in an earlier pass..
[23:24] <sarnold> teward: nice :)
[23:25] <sarnold> teward: man there's a lot of fiddly things to change there
[23:25] <iNs> wasted so much time for this ;d
[23:25] <RevertToType> apparently ub15.04 is using systemd and upstart ... perhaps it's time to look into that for this one simple stupid command
[23:25] <teward> sarnold: yeah, the Apache redirs don't help
[23:26] <teward> (change the port, port redirs are still enforced by Landscape, even if the baseurl isn't set as such)
[23:26] <teward> Landscape used to be on my ESXi box
[23:26] <teward> as a VM
[23:26] <teward> then the CPU died
[23:26] <teward> so...........
[23:26] <teward> (we need ARM landscape-server xD)
[23:27] <teward> (then my RPi can be my Landscape server xD)
[23:27] <sarnold> RevertToType: pitti put this together, it's been useful reading for me https://wiki.ubuntu.com/SystemdForUpstartUsers
[23:27] <sarnold> heh, would an rpi have the ram to make it work? :)
[23:28] <RevertToType> nice i'll poke into that... gotta run but sarnold thank you so much for your help
[23:28] <teward> sarnold: potentially?  Landscape never ate more than 768MB on my system, but meh
[23:28] <teward> sarnold: the big problem is that my ESXi box did blow up on me, without that, everything's on the converted desktop that's my Gitlab machine
[23:29] <sarnold> RevertToType: good luck :)
[23:29] <teward> sarnold: btw can i grab your opinion on something?
[23:29]  * RevertToType salutes sarnold
[23:29] <sarnold> teward: 768, that's not bad
[23:29] <teward> sarnold: only 3 systems on it right now, the others are status:dead because ESXi
[23:30] <teward> but i still need your thoughts
[23:30] <teward> as a sec team person :P
[23:30] <teward> PM?
[23:30] <sarnold> sure
[23:31] <iNs> anyway sarnold thanks as well
[23:31] <iNs> "ridiculous solutions vol. XX"
[23:35] <sarnold> iNs: haha :)
[23:36] <sarnold> iNs: glad you got it! your beard will thank you.
[23:36] <iNs> haha, most def
[23:36] <iNs> damn thesis deadlines
[23:36] <iNs> gotta take a break, this thing annoyed the shit out of me lol