[00:00] <sarnold> Tangurin: sometimes they may offer a framework or product of some sort, and they'll have configured all this kind of stuff before allowing users to deploy their specific portions
[00:01] <sarnold> Tangurin: sometimes they just do simple static serving and they don't actually allow their clients to run code in the web server at all
[00:01] <Tangurin> sarnold: hmm ok
[00:01] <Tangurin> sarnold: Well I will have to look into this someday... but not now! Now I have to sleep. in the middle of the night and work today! Thank you for your time and have a nice day! :)
[00:02] <sarnold> Tangurin: woo :) have fun, sleep well
[05:50] <guillaume_s> hi everyone
[05:52] <guillaume_s> i search for an answer to a question in order to be able to install ubuntu-server. i have been asked to install Linux (ubuntu) on an ibm 9407-515 server. This is the first time i do it on a Server. We've realized that we couldn't create a LPAR because when we try to modify anything we are told that we don't have the feature 7966 "Note: Error 400000C4 when trying to modify partition configuration can be a result of not havi
[05:53] <guillaume_s> partitioning. " The problem is that he stopped his contract with IBM so we don't know how to add this feature. Our actual firmware is SF240-238
[05:55] <guillaume_s> anybody with an idea would be really nice to tell me, it's been a few days now and i feel lost
[05:55] <TJ-> guillaume_s: hi again. Have you seen http://www-01.ibm.com/support/docview.wss?uid=nas8N1014228
[05:55] <guillaume_s> yes
[05:55] <guillaume_s> and read all redbooks
[05:57] <guillaume_s> i must say we don't have any HMC
[05:57] <TJ-> guillaume_s: tell the client to contact IBM. They need to purchase the feature.
[05:59] <guillaume_s> ok. So that's what i thought. The feature is at 0 dollars. Do you think they'll be able to do something even if he stops his contract with them ? last question. Would it be possible to do it another way ? Like removing the current os and replace it with Ubuntu ? or would it be very hard to do ?
[06:01] <TJ-> guillaume_s: He'd have to talk to IBM about the feature, I can't say. I doubt replacing i5/OS is a good idea. There's no guarantee Linuc fully supports all the system hardware.
[06:04] <guillaume_s> you're right, thank you for your time, this is pretty much what i wanted to hear. Will you be here later today ?
[06:15] <TJ-> guillaume_s: probably not, I've been doing some early-hours hacking :)
[06:16] <guillaume_s> nice, well thank you. I hope i'll manage to install it by myself.
[08:54] <mnms_> I would like to install ubuntu as my ftp server with 4TB disks. Are there any problems with disks bigger than 2TB ? I would like to make software RAID 1 using ubuntu installator. SHould I expect any problems with following configuration :) ?
[08:55] <lordievader> mnms_: Not if you are using gpt. But don't use ftp, use scp, sftp or anything else. Ftp is a bad idea.
[09:06] <sysrex> mnms_, I will second lordievader ftp is a really bad idea
[09:06] <sysrex> and if you are planning in having large files I would go with xfs
[09:09] <mnms_> guys I will use certificates to not send credintials in plain text
[09:09] <maswan> yeah, nothing wrong with ftp if you use tls
[09:10] <mnms_> lordievader, sysrex: Ok, I understand you mean I should use ssh protocol ?
[09:10] <sysrex> yes, safer and faster
[09:11] <mnms_> ok
[09:11] <mnms_> thanks for that
[09:11] <sysrex> no worries mate
[09:11] <lordievader> maswan: Isn't ftp + tls sftp or ftps?
[09:11] <maswan> lordievader: sftp is based on ssh, you could call it ftps I guess, but I've never seen that
[09:12] <lordievader> https://en.wikipedia.org/wiki/FTPS
[09:12] <lordievader> So it is ;)
[09:15] <mnms_> So I can create GPT layout on hdd through ubuntu installer ?
[09:16] <maswan> I think so, but I've never tried it. All of my large storage servers have HW raid controllers with a small OS partition, or small dedicated OS drives.
[09:16] <lordievader> mnms_: I'd do it by hand if I were you.
[09:17] <mnms_> maswan: I would like to ensure somehow before I will buy a disks
[09:17] <lordievader> Gpt/mbr is irrelevant for a disk itself.
[09:17] <lordievader> As long as it can store data it can have gpt or mbr partition tables.
[09:19] <mnms_> lordievader: true, but Im buying it to have large partitions, If I will have problem creating them, It doesnt make sense to spend a money
[09:20] <lordievader> mnms_: Go with gpt: https://wiki.manjaro.org/index.php?title=Some_basics_of_MBR_v/s_GPT_and_BIOS_v/s_UEFI#MBR_vs._GPT
[09:21] <mnms_> Right now I put disks <= 2TB, run ubuntu-server edition, going through installer steps and everything works fine
[09:22] <lordievader> Ubuntu works fine with gpt disks, just don't know if the installer can set it up. Hence the advice to do it manually.
[09:26] <mnms_> I guess I need to change something in BIOS to to activate UEFI, correct ?
[15:55] <rbasak> smb: did you ping me earlier? I can't find it.
[15:55] <smb> rbasak, yeah on some other channel.
[15:56] <smb> rbasak, Was wondering what questions there were about dpdk and whether those would stop us from uploading 2.0 as it is now
[15:56] <rbasak> smb: have you seen the replies to http://dpdk.org/ml/archives/dev/2015-September/023180.html?
[15:56] <smb> Most comments seemed to say we did it the same or at least a similar way
[15:57] <smb> rbasak, was quickly scanning over
[15:57] <rbasak> smb: upstream seem receptive, but I wanted to reply to Thomas. It sounds like the soname is well-defined now in latest upstream, but what about the sover?
[15:57] <smb> Most things seemed to address 2.1
[15:58] <smb> Yeah, the reply from Stephen sounded like there is one defined in the config now... but not which
[16:54] <smb> rbasak, oh also it simplify things for me if you could just add me to a cc: on those emails. Then I do not have to poll some archive site to see whats going on. :)
[17:53] <teward> should packages be built with the expectation of having dpkg-divert being called upon it to divert installation of a configuration file, when dpkg-divert is called from a different package?
[18:08] <jge> howdy, anyone know if samba respects linux acls? I'm using the "hide unwritable/unreadable" options in a samba share but I only get permissioned-denied, I would like them to not see what they dont have access to
[18:09] <jge> I've only been able to get this working by using standard perms
[18:10] <sarnold> jge: would that change directory listings for a user based on which files or directories they can actually read or write?
[18:12] <jge> sarnold: a directory will be hidden for them if they dont have read/write perms
[18:12] <sarnold> jge: what happens if they try to create a directory or file with a hidden name?
[18:14] <jge> sarnold: I get, "you must type a file name" on a win7 client
[18:14] <sarnold> weird
[18:14] <sarnold> well, at least it's an error that's actually handled on the client..
[18:14] <jge> I should be able to get the behavior I want by using ACLs too right?
[18:15] <jge> right
[18:22] <sarnold> jge: it looks like samba does the entire access control checks itself http://sources.debian.net/src/samba/2:4.1.17%2Bdfsg-4/source3/smbd/open.c/?hl=69#L69
[18:23] <sarnold> jge: I don't know where the lp_acl_check_permissions() function is defined -- it _might_ hide a call to access(2), but without seeing it, I think that means you've got to use samba acls and not linux acls
[18:25] <jge> sarnold: hmm interesting, I thought samba used linux perms/acls, didn't know they had their own mechanism for access control
[18:28] <sarnold> jge: if you find the lp_acl_check_permissions() function, that'd explain everything. :) I just don't know where else to go looking for it. you might be right..
[18:29] <jge> sarnold: ok thank you, i'll dig into it more
[19:26] <henkjan> whys is ssh complaining:
[19:26] <henkjan> Warning: the RSA host key for 'test2.mydomain.local' differs from the key for the IP
[19:26] <henkjan> address '172.16.28.194'
[19:26] <henkjan> Offending key for IP in /home/henkjan/.ssh/known_hosts:110
[19:26] <henkjan> Matching host key in /home/henkjan/.ssh/known_hosts:102
[19:27] <henkjan> the 'offending' key is in ecdsa format
[19:27] <henkjan> the matching key is rsa
[19:27] <henkjan> why would ssh complain about a key in a different format?
[19:28] <henkjan> both keys in known_hosts are the keys as found on the server in /etc/ssh/
[19:28] <quantic> henkjan: because if one key matches and the other doesn't, it's potentially a security issue.
[19:28] <quantic> henkjan: it is conceivable that a hostile mitm could be spoofing one key, but not another.
[19:29] <quantic> henkjan: also, one key is matched on hostname, and the other by IP. DNS redirection is also a possibility.
[19:29] <quantic> henkjan: i.e. the DNS entry for the host was changed to point to a different and possibly hostile system.
[19:29] <quantic> henkjan: verify the host key fingerprint against the keys actually on the host, and if they match, clear the offenders from known_hosts
[19:30] <henkjan> both keys in known_hosts are the .pub versions from the server
[19:31] <henkjan> is ssh client not smart enough not to try to match aan rsa fingerprint with an ecdsa key in known_hosts?
[19:31] <sarnold> henkjan: it's complaining about the different format because itmight mean the connection or server has been manipulated
[19:31] <quantic> henkjan: ^
[19:31] <quantic> henkjan: it's being paranoid, and rightly so, by design. clear the offending keys and let it recreate the known_hosts entries if everything's fine.
[19:32] <sarnold> henkjan: it'll continue to warn you until you remove the key that's no longer being used, as a way to acknowledge that the change is intentional
[19:35] <henkjan> 21:28 < quantic> henkjan: also, one key is matched on hostname, and the other by IP. DNS redirection is also a possibility.
[19:35] <henkjan> i'll check on that one
[19:37] <henkjan> hmm, maybe its a good idea to maintain a global known_hosts in /etc/ssh/ssh_known_hosts on this jumphost
[21:14] <Slugs_> is anyone aware of an ubuntu iso that includes openstack as a software installation selection?  —— http://i.stack.imgur.com/WGJlN.jpg
[21:15] <Slugs_> i can’t seem to find thids
[21:15] <Slugs_> *this
[21:17] <sarnold> I wouldn't be surprised if that's been removed, if it ever existed "publicly", there's just so many ways to run an openstack system, and so many pieces of software, it doesn't really make sense to have one "openstack" task.
[21:18] <Slugs_> interesting
[21:18] <Slugs_> that makes alot of sense
[21:18] <Slugs_> thank you sarnold
[21:18] <sarnold> Slugs_: take a look at this, it might be helpful http://www.ubuntu.com/download/cloud/install-ubuntu-openstack
[21:20] <Slugs_> thank you
[22:23] <teward> anyone else on the server team want to comment on https://lists.ubuntu.com/archives/ubuntu-server/2015-September/007106.html or https://lists.ubuntu.com/archives/ubuntu-server/2015-September/007107.html
[22:29] <teward> sarnold: thanks for looking, i shoulda poked -hardened first xD
[22:29] <teward> but you're here :)
[22:29] <teward> (I also said in a response that they should first get it into Debian, and their security teams'll ask the same questions :P)
[22:32] <sarnold> teward: well, they're likely to behappy to accept it, the more the merrier etc, but these already exist so they have to hit a certain minimum of usability.. :)
[22:34] <teward> sarnold: mmm
[22:34] <teward> sarnold: indeed, although even then... :P
[22:35] <teward> sarnold: i don't think there's any protocol for VPN out there that's 'brand new' that passes security muster, but I may be wrong
[22:41] <teward> o/ LinuxJedi
[22:42] <sarnold> teward: indeed.. I liked reading the strongswan code though.
[22:42] <teward> sarnold: strongswan broke my IPSec on my pfSense though
[22:42] <teward> had to nuke and redo all the IPSec configs
[22:43] <sarnold> teward: .. and it doesn't work in draconian networks that allow e.g. only port 80 traffic through. so it's not perfect tool for everybody..
[22:43] <teward> mhm
[22:44] <teward> grrrr openssl ftbfs on armhf on my rpi >.<
[22:45] <LinuxJedi> hey teward
[22:47] <teward> LinuxJedi: nginx mainline ppa is *delayed* because i'm innundated at work >.<
[22:47] <teward> in case anyone cares
[22:47] <teward> but i don't think everyone does xD
[22:48] <LinuxJedi> teward: I resemble that remark :) NGINX conf next week so I'm spending every hour possible preparing
[22:48] <teward> LinuxJedi: oh, that's right, give everyone my regards and my regret about not being able to attend :)
[22:48] <teward> sarnold: sorry for hijacking an otherwise quiet channel XD
[22:48] <LinuxJedi> will do. And sorry from me too sarnold :)
[22:50] <sarnold> meh I don't care :) it's remotely on-topic anyway..
[22:50] <teward> sarnold: can I get a security team opinion on a CVE though
[22:50] <teward> semi-related :P
[22:50] <sarnold> sure..
[22:50] <teward> sarnold: http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4968.html <-- worth backporting fixes?
[22:51] <teward> LinuxJedi: ^ same question, except is there backported changes for this CVE for 1.6.x (which i know is dead, yes)
[22:54] <LinuxJedi> my personal opinion is since we added it as a feature (off by default) I don't think it needs a backport. The default behaviour will be the same as 1.6 I believe. Those who would configure this are probably using their own builds anyway.
[22:54] <LinuxJedi> that said, it doesn't look like it is a difficult one to backport if you want to do it
[22:55] <teward> hence me asking sarnold if it's worth it xD
[22:57] <sarnold> teward: no, I wouldn't bother. no one's asked us for it...
[22:57] <teward> ok then :)
[22:57] <sarnold> teward: and anyone who really cared could use stunnel
[22:58] <sarnold> teward: you're busy enough and have enough things to do that it doesn't seem worthwhile. if you were bored, maybe. but that doesn't seem to be an issue. :)
[22:58] <teward> sarnold: should it be 'wontfix' or such, as in 'we don't really see this as a huge concern'
[22:58] <teward> sarnold: meh, just doing my regular poking of the tracker :)
[23:19] <sarnold> teward: I just checked in an update with somenotes
[23:19] <teward> sarnold: ?
[23:21] <sarnold> teward: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/9951
[23:21] <teward> ah
[23:22] <teward> sarnold: ACK on that, +1 on the notes as such
[23:22] <sarnold> thanks
[23:23] <teward> sarnold: it's definitely patched in Wily, but meh
[23:43] <RevertToType> maybe here will help... so i'm building up from server to make a kiosk everything is actually nearly perfect except--- one thing; so i have xorg installed and it's running a web browser in kiosk mode with all the correct settings, now i want users to be able to save files to their flash drive should they need to but nowhere else.  if this was windows i could gpo the save file box to only show the equivalent to /media/usb0 as the only opti
[23:43] <RevertToType> please say it isn't
[23:44] <sarnold> RevertToType: your first messge was cut off at "as the only opti"
[23:44] <RevertToType> show the equivalent to /media/usb0 as the only option but i don't see an immediate way to do that with my current setup.... is there a way? I know that setting permissions hasn't "hidden" the other folders from the users' view so i'm kinda at a loss... is this the point i have to breakdown and consider a wm/de?
[23:44] <RevertToType> also sarnold do you have a project or something i can donate to so i can show gratitude for the endless patience dealing with me?
[23:44] <RevertToType> or a paypal i guess... a pint on me so to speak
[23:45] <sarnold> RevertToType: if it were me, I'd modify the apparmor profile for the web browser to allow writing to /media/usb0/**, but I don't know how you pre-populate that as the save-as dialog source
[23:45] <sarnold> RevertToType: hehe, thanks, but no; just pass it along :)
[23:46] <RevertToType> sarnold: yeah i mean right now i have two options; leave the save dialog box open entirely or remove the ability to save... this is kinda the 3rd layer of polish on the system which would take it to "meets requirements" to "meets all the things we wanted but thought we couldn't have"
[23:48] <RevertToType> oh snap... maybe i can do stuff in the gyk .config file...
[23:48] <RevertToType> gtk rather
[23:52] <sarnold> RevertToType: it _might_ start with the HOME directory or something similar
[23:53] <RevertToType> yeah i think with a bit of tweaking i could just make it so it opens up a really small dialog box with no navigation just auto-located to the usb drive and the button "save" hehe
[23:54] <RevertToType> like "select the one place you can save it...nope there's only one... save or cancel... i'll wait"