=== Lcawte is now known as Lcawte|Away
jak2000sarnold, teward: ssh-keygen -t rsa -b 409600:04
jak2000this files was generated: http://pastie.org/1051712500:04
jak2000wich copy to remote server?00:04
sarnoldjak2000: id_rsa.pub00:05
sarnoldjak2000: you'd save it as ~/.ssh/authorized_keys00:05
sarnoldjak2000: normally you want to append these public keys to the authorized_keys, to keep any that you already have stored there00:06
jak2000in the remote server?00:06
sarnoldjak2000: the ssh-copy-id program automates this00:06
sarnoldjak2000: yes00:06
jak2000sarnold, create the file without password right?00:09
tewardif you don't want to provide a password then yes00:09
sarnoldjak2000: yeah, for automated backup systems that's probably best00:09
tewardi have a few ssh keys that i use for passwordless autosyncs of data :)00:09
sarnoldjak2000: you can jump through some hoops to run an ssh-agent that works for cron, but it's a big hassle.00:10
jak2000isnt dangerous?00:10
jak2000without password?00:10
sarnoldslightly dangerous, yes00:10
sarnoldbut your id_rsa key is mode 600 in a directory that is mode 700 -- it's a bit safer than a password in a shell script in /usr/local/bin :)00:11
sallonThere are peapol know move pilote graphique ? i work in ubuntu 14.04  and i run in driver i91501:46
sallonbut my real pilot for my hardware is the i965, i have download and setup package i965 jessie debian. All depandency are successfull01:53
salloni would like to know if modprobe work for disable and enabel after reboot system ?01:54
sarnoldsallon: if you need to load a module after every reboot, /etc/modules or /etc/modules-load.d/ might help you01:57
=== markthomas is now known as markthomas|away
sallonsarnold yes know but i would like to confirm of dev or user have successfull avec ubuntu 14.0402:01
sallonsarnold yes know but i would like to confirm of dev or user have successfull with ubuntu 14.0402:01
sallonsarnold thank you for your time readen02:04
nbros652anyone know how to get /usr/bin/beep to work from a udev script?02:06
nbros652It works just fine when I run the script manually. The script runs just fine when run by udev, but it fails to beep the pc speaker.02:07
shaunonbros652: modprobe pcspkr and try again?02:14
shaunoI believe if that's not loaded, 'beep' will default to just echoing ^G to the terminal, which does the traditional beep - but won't work if the parent process doesn't own a terminal02:15
shaunonbros652: failing that, man beep and check out the section 'ioctl wackiness', there's a run-down on what conditions have to be met for beep to be allowed02:21
nbros652did that in the script. It works just fine and beeps when I run the script manually.02:21
nbros652shauno: ^^02:22
nbros652shauno, I can't find any clear reason why it's not beeping when run by udev. I even changed the permissions on /usr/bin/beep to allow everyone to beep. It still fails to beep when run by udev while manually running the script produces a beep.02:39
nbros652shauno, it's working now. I didn't make any changes. It just went from not working to working, I'll take that as a win. I just wish I knew what changed.03:12
shaunoyeah, it'd be nice to know.  but the system bell is a very weird beast, being still handled by the tty for reasons that are older than either of us03:13
nbros652shauno, okay, this is strange. It consistently beeps on some USB sticks but not others! Any thoughts on that one?03:19
nbros652Perhaps, the script is not running with the insert of certain usb devices03:20
shaunonone at all.  that'd be squarely in udev's court, which I'm still unfamiliar with03:20
nbros652okay, thanks.03:20
nbros652strange... it is running. I can see the USB get mounted and unmounted... I guess I'll just have to play around with it and see if I can figure out what's going on.03:21
jak2000sarnold? are you there?04:39
jak2000i am try copy a file from server1 to server 2: http://postimg.org/image/5e385aizd/ with ssh-keygen -t rsa cant, i do: 1) in server 1, typed: ssh-keygen -t rsa, generated 2 files on: /home/jak/.ssh id_rsa and id_rsa.pub, 2) next step, i do: cat /home/jak/.ssh/id_rsa.pub and copied the contento to server 2 ton: /home/jak/.ssh/authorized_keys     then server1 file /home/jak/.ssh/id_rsa.pu05:52
jak2000b  is exact same on server2: /home/jak/.ssh/authorized_keys   i do this command:  rsync -avzP /backup/tari.sql jak@domain.noip.me:/home/jak/sql/   asked something yes/no, typed yes, and then ask me the jak's password, typed correctly, and the file was copied, rerun again the rsyn command and again ask me a password, wich i am do wrong? thanks05:52
=== cpaelzer_ is now known as cpaelzer
noregretNSS can't resolve local hosts using their FQDN, what could be wrong? dig/host can resolve normally but not e.g. ping/firefox07:26
TJ-noregret: what order is the 'hosts' setting in /etc/nsswitch.conf ? maybe mdns is getting in first?07:42
noregretTJ-: hosts:          files mdns4_minimal [NOTFOUND=return] dns07:46
TJ-noregret: So possibly mdns4_minimal is answering first, especially likely if the domain is .local07:48
noregretTJ-: it is .local07:49
noregretTJ-: how can i check mdns4 ?07:49
noregretTJ-: btw, the configured dns servers on my machine are a local one and google's07:49
noregretso could it be using googe's to resolve those?07:50
TJ-noregret: see "man nsswitch.conf"07:50
noregretcan I configure priority ?07:50
TJ-noregret: the order of services is first-come, first-served, so if mdns4_minimal answers for .local and says NXDOMAIN (in DNS speak) then dns will never be tried07:51
noregretTJ-: sorry but i don't know what mdns4_minimal is, is it also a "minimal" dns server?07:53
TJ-noregret: it's serviced by the package "libnss-mdns"07:55
TJ-!info libnss-mdns07:55
ubottulibnss-mdns (source: nss-mdns): NSS module for Multicast DNS name resolution. In component main, is optional. Version 0.10-6 (wily), package size 20 kB, installed size 125 kB07:55
noregretTJ-: where can configure it?08:13
TJ-noregret: configure what?08:14
noregretTJ-: libnss-mdns package, could it be reading an incorrect dns? (only google's)08:15
TJ-noregret: I already told you, see "man nsswitch.conf"08:16
=== cz2 is now known as ntoskrnl
=== cz2 is now known as ntoskrnl
pascalanyone has a checklist for lsi megaraid cards/perc cards ?10:56
pascali have a server going at 1mb/s10:56
bekkspascal: Which checklist?11:47
rbasakstgraber: http://askubuntu.com/questions/691860/how-to-upgrade-lxc-container-after-do-release-upgrade-to-wily11:50
rbasakstgraber: run do-release-upgrade inside the container I presume? I've not actually tried this though. I know dist-upgrade would work.11:51
bekksdist-upgrade doesnt upgrade releases.11:51
=== Lcawte|Away is now known as Lcawte
atralheaven_Hello, I want to install php, which version should I install?12:52
bekks!info php | atralheaven_12:53
ubottuatralheaven_: Package php does not exist in wily12:53
bekksYay :)12:53
bekks!info php5 | atralheaven_12:53
ubottuatralheaven_: php5 (source: php5): server-side, HTML-embedded scripting language (metapackage). In component main, is optional. Version 5.6.11+dfsg-1ubuntu3.1 (wily), package size 1 kB, installed size 10 kB12:53
atralheaven_is php5 the last version?12:53
bekksWhich version do you need?12:54
atralheaven_bekks: I don't know, thats why I asked13:13
atralheaven_which version is regular version?13:14
bekksatralheaven_: Then whats your actual goal?13:14
bekksWhat do you need php for?13:14
atralheaven_wordpress, mainly13:15
atralheaven_I have not worked with php before13:16
bekksThen you'll be fine with the version in the ubuntu repos.13:16
atralheaven_bekks: you mean php5 package? because there is no php package13:17
atralheaven_bekks: just for knowing, what's the last version? I think there is a php7 but its still under development, right?13:18
bekkswww.php.net tells you about the last version out there. Just use te version available from the Ubuntu repos.13:18
atralheaven_bekks: I installed php5, Thanks :)13:19
atralheaven_bekks: it seems that php7 will be out about two weeks later13:21
atralheaven_bekks: I will ask my other questions on #php13:22
atralheaven_how can I install "mod_rewrite apache module" on ubuntu server 14.0413:27
hateballa2enmod mod_rewrite13:28
atralheaven_hateball: "ERROR: Module mod_rewrite does not exist!"13:30
jrwrenits a2enmod rewrite13:32
hateballyes, my bad13:32
atralheaven_Thanks :013:33
=== Lcawte is now known as Lcawte|Away
phre4kwhat's the difference between the ubuntu and ubuntu-cloud LXC images?15:05
rbasakTechnically they are different templates, not images.15:05
rbasakThe "ubuntu" template builds you a rootfs using debootstrap.15:05
rbasakThe "ubuntu-cloud" template uses cloud images.15:05
rbasakWith the latter you get a cloud-init based system, with the former a more "traditional" system.15:06
rbasakFor most things it should make little difference except that the latter is much quicker.15:06
rbasak(to create)15:06
phre4kyeah, meant templates, sorry. So the major difference is the init system?15:13
phre4k@ rbasak15:15
=== CiPi is now known as cipi
rbasakphre4k: I guess so. Perhaps the set of default installed packages too, and some other minor configuration pieces. Note that the "init system" as in upstart or systemd is the same. cloud-init adds on to either.15:20
rbasak"ubuntu-cloud" will get you an environment much closer to what you'd get on an OpenStack VM, Amazon EC2 instance, etc.15:22
rbasakOr Ubuntu deployed with MAAS.15:22
rbasak"ubuntu" will get you somehting close to what the server installer does.15:22
rbasakIf you install from CD image.15:22
phre4kaaah ok, thanks for clearing that up. Using the cloud template :)15:42
=== beck is now known as designbybeck
=== genii is now known as zombiegenii
phre4kwhy can't I create a LXC container with -r wily? It seems that it didn't find the release...15:53
=== zombiegenii is now known as genii
herrkinhello community. I have a question for you. I have to set a server on a company, I dont want them to mess with my code but they change network settings very often, so I need to let them access the server to change that, is there a way that I can create a user that can only change the network settings and maybe ping or something like that?15:55
phre4kherrkin: how do you want them to change the network settings?15:56
phre4kwith networkmanager, editing /etc/network/interfaces, ...?15:57
rbasakherrkin: on a server only root can change network settings by default. You can write a wrapper and then configure sudo to provide a particular user access to run only your wrapper as root.15:57
geniiherrkin: Create a user for that and then give them access to specific application in sudoers file15:57
rbasakYeah basically what genii said - same thing :)15:57
herrkinok honestly I havent used networkmanager so I use the /etc/network aproach15:58
rbasakNote that wrappers are finicky to get secure.15:58
rbasakSo I wouldn't rely on them for strong security unless you really know what you're doing.15:58
herrkinok now I am confused15:58
herrkinhow do I do it?15:58
rbasakBut if they have physical access then they have root anyway.15:59
herrkinif they have physical access there is a log in screen15:59
rbasakThere's also a box with screws on it.15:59
herrkinno root unless you log as root15:59
rbasakAnd a BIOS that lets me boot something else to reset the root password with16:00
rbasak(or just change the kernel boot parameters)16:00
herrkinnot if I have the encrypted partition16:00
herrkinI think16:00
rbasakWhat if they lose power? They can't use the server until you come in and type the decryption password?16:00
rbasakWhat if you get hit by a bus on the way in to do that?16:01
herrkinso there is no way to deny access to root?16:01
rbasakAnd even then I could trojan the password prompt.16:01
rbasakGoogle "evil maid attack".16:01
rbasakNot if they have physical access.16:01
rbasakAnd if they know what they're doing.16:01
phre4kfound the solution to my LXC issue: you have to do lxc-create -n name -t ubuntu-cloud -- -r wily (note the double dashes)16:01
rbasakAnd they want to get root.16:01
herrkinthats bad, I thought there ways a way to deliver a secured box so that noone could log in and even if I they wanted to get access to the partition it was encrypted16:02
phre4kherrkin: do you know a scripting language, e.g. python? Install python, write a small script which can change the network settings and only give them the right to exec that particular script16:02
phre4kwhy don't you trust the company? They shouldn't trust you16:03
phre4keither you install them a black box or they can configure it. Just charge them to change the network settings. They shouldn't do that anyway.16:03
rbasakphre4k: the problem is that I could add a "up" line in the /etc/network/interfaces file I give to the Python script, for example, and then I have root.16:03
rbasakphre4k: so everything needs to be sanitized and that is non-trivial to explain on IRC :)16:04
phre4krbasak: that's why you don't specify free-form variables, you only ask for IP and mode and whatnot. They don't need up/down scripts.16:04
geniiherrkin: You can lock out root password login and only make it by ssh with key. Then the machine is effectively locked out except from another box with acceptable key where you could re-enable password16:04
TJ-herrkin: why do you want an unprivileged user be able to create a network interface?16:04
phre4krbasak: but yeah, your point is valid as f**k16:04
rbasakphre4k: my IP address is "\n\tup ..."16:04
rbasakphre4k: just ask my friend Bobby Tables. He knows all about this type of thing :)16:05
phre4kTJ-: that's what I ask myself too16:05
phre4krbasak: haha, classic xkcd reference16:05
herrkinsee, the companies always want to make an excuse to keep the code. I dont want that.16:05
herrkinthe normal excuse is that they need to change the ip address because whatever reason16:05
rbasakherrkin: best thing to do then is run the server somewhere else where you have control of it.16:05
herrkinso if there is no network I can log into I cant configure it myself16:06
rbasakherrkin: sounds like they need a DHCP server. Allows them to change network settings on all of their network at once as they wish.16:06
TJ-herrkin: DHCP16:06
herrkinso I have to do something so that they can change it themselves whithout letting them touch the code16:06
phre4kif there is no network, they have to call you in and you have to fix it. For moneys.16:06
herrkinyeah thats out of topic I work nationwide in venezuela.16:07
herrkinso it is inneficient that they have to wait for me.16:07
TJ-I cannot imagige NOT using DHCP for this kind of situation16:07
herrkinme too. but they are always doing these things.16:07
TJ-DHCP static reservation; sorted16:07
herrkinI can manage the server because they do intranet. its not internet service.16:08
TJ-herrkin: sell them some consultancy on configuring DHCP :)16:08
herrkinso the service has to be in their premises16:08
phre4ktell them they have to fire their current network admin if he can't figure something out this simple16:08
phre4k(or she)16:08
TJ-(or it)16:08
herrkinok lol16:08
herrkinjust leave the ip as it is16:08
phre4kor this16:08
TJ-herrkin: or you could be sneaky and make the password the required IP address :D16:09
phre4kwhyever they don't know that fancy thing called "hostnames"16:09
herrkinTJ-, I dont know what you mean16:09
TJ-actually... I can picture a pam_user_to_ip module that looks for a username of the form ip:A.B.C.D and assigns it :D16:10
rbasakAs a bonus you'll have a list of IP addresses they have used in /home :)16:10
herrkinI am installing a box, I am on the company, they have changed the ip like 3 times because problems of access16:10
herrkinthats a very annoying thing.16:10
herrkinthey have the dns disabled for now16:11
TJ-DHCP has to be answer16:11
TJ-herrkin: who owns this PC, you or your customer?16:11
TJ-herrkin: you can't really deny them access then if they want it16:12
herrkinbut the contract says we manage it.they cant access it.16:12
herrkinwhile we are in contract. if they want to leave it then they can.16:12
TJ-herrkin: I was going to suggest installing a small, cheap, router in front of it that they can access the web console of, and then have 'your' box take an IP from the router :)16:12
herrkinTJ-, that seems like a good ide16:12
herrkinto eliminate that problem16:13
TJ-herrkin: that way the router just does NAT from their IP to the known static IP subnet the 'box' is on16:13
herrkinso there is no touching the console at all.16:13
TJ-herrkin: although, then you have the problem of controlling what they can change in the router!16:13
TJ-herrkin: but yes, that stops them needing login access to the 'box'16:13
herrkinthey can do whatever they want with that. I think that is not a problem.16:14
herrkinas long as they dont screw the nat16:14
TJ-herrkin: precisely; you could exchange one set of issues for another :)16:14
TJ-herrkin: although, if you choose the router careful so it runs something open(wrt) like, you could provide a modified unprivileged log-on which only allows entering the router's 'WAN' side IP16:15
TJ-herrkin: another option... on the 'box' itself. install your own software in a VM guest, then they can log-in to the host, change it's LAN-side IP. NAT/bridge host/guest and they can change the IP but can't mess with the encrypted guest nor need its password16:17
=== markthomas|away is now known as markthomas
herrkinsomething like a docker container_16:22
herrkinI thought of that16:22
TJ-LXC possibly16:23
TJ-or KVM for a full guest. That way you could keep an identical copy in your premises modify it, and ship revisions easily, too16:24
herrkingood I have to look that up.16:25
TJ-Xen is also on option for the hypervisor, with ubuntu in dom0, and your application in a guest in domU16:26
herrkinI guess lxc is better than kvm, for it doesnt emulate hardware. its faster, uses less resources as I have seen.16:27
phre4kherrkin: buy a Ubiquiti EdgeRouter, they're "cheap" and have pretty extensive features16:28
phre4kTJ-: if they can login onto the host, they have access to the guest, even if it's encrypted. You could however route only the interfaces file through to an LXC container16:29
phre4kand then they logon to the container16:29
TJ-All in all I think a front-router would solve the issue easiest16:29
herrkinor I could make it a web service. phre4k I can make for example node.js change those settings16:31
herrkinthere is no need to log on the system.16:32
TJ-herrkin: do they change their sub-net? what network changes do they make that need the PC IP address to change?16:34
=== Lcawte|Away is now known as Lcawte
phre4kherrkin: yeah, it's an idea16:37
phre4kbut still, suggest they fire their network admin16:37
geniiTJ-: I also am curious why they need to change their IP all the time, sounds a bit fishy16:45
TJ-genii: makes you think 'ulterior motive'16:46
* genii makes more coffee16:47
=== ntoskrnl is now known as cz2
=== cipi is now known as CiPi
=== Lcawte is now known as Lcawte|Away
captinehi all.  question. adding ubuntu to AD following https://help.ubuntu.com/lts/serverguide/sssd-ad.html resulted in the server being added, however, it was added without the windows admin needing to enter a username and password.  pretty strange.  most times when adding windows laptops to AD, an admin needs to type username and password, but when adding ubuntu server to our domain, it was not needed?18:43
captineanyone else experience this?18:43
toyotapiehello. I have a virsh/kvm/qemu virtual disk in qcow2 format. It's 6.7 gigs. I have to convert it to vmdk to send to the windows guys, and it goes from 6.7 gigs to 27 gigs when I convert using qemu-img convert. Is there an option that I can specify so that the size doesn't grow out of control?18:53
sarnoldtoyotapie: you could try compressing it afterwards; if you're lucky the difference is largely filled with zeros...18:56
sarnoldtoyotapie: or, you could send your pals an ubuntu ISO image and tell them how to use qemu-img themselves? :)18:56
sarnoldthat'd still be ~23 gigabytes smaller, hehe18:56
toyotapieYea, but even my ubuntu users use virtualbox which doesn't recognize qcow2.18:57
atralheaven_Hello, I want to setup PPTP vpn on my VPS, on the "/etc/pptpd.conf" file, there is "localip" and "remoteip", what should I use for localip? server ip or and I don't know what my clients IP would be, what should I do for that? Thank you20:20
atralheaven_btw, https://help.ubuntu.com/community/PPTPServer20:20
RoyKatralheaven_: just don't use pptp20:25
RoyKatralheaven_: openvpn is vastly better and more secure20:25
atralheaven_RoyK: I know, I have OpenVPN already set up20:26
atralheaven_RoyK: I need to have PPTP too20:26
RoyKatralheaven_: ptpp is defined in RFC 2637 from 1999, written by Microsoft, and has status as "informational". It's not secure, not by far20:27
RoyKwhen something doesn't even get into the standards track, stay away20:27
atralheaven_RoyK: Im aware of this but I really have to, may you help me get this done?20:28
RoyKI don't think I've setup pptp for 10+ years, sorry20:28
atralheaven_RoyK: may you take a look at "https://help.ubuntu.com/community/PPTPServer" and tell me what do you think about "localip" and "remoteip" part?20:29
RoyKatralheaven_: not sure, but I guess the remoteip part is about what addresses to hand out as in a dhcp fasion, where the localip is the ip given to the local server's virtual nic20:30
=== genii is now known as zombiegenii
atralheaven_RoyK: Have you worked with l2tp?20:44
=== zombiegenii is now known as genii
RoyKatralheaven_: just for testing. usually it's problematic in terms of low-end gear that doesn't allow for other protocols than udp/tcp20:46
atralheaven_RoyK: Im trying to set up this too, OpenVPN was the best...20:47
RoyKopenvpn just uses https, so it will work with all sorts of cheap NAT stuff20:50
=== genii is now known as zombiegenii
atralheaven_May someone please test my openvpn? I can't connect to it but everything seems to be fine, I thought it can be from country firewalling. I can give the .ovpn file, I want to see if you can connect to it21:07
=== zombiegenii is now known as genii
=== genii is now known as zombiegenii
=== zombiegenii is now known as genii
soulisson_Hi, when applying security updates to Apache, is the Apache version number suppose to change?23:34
tarpmansoulisson_: version number as reported where/how?23:34
soulisson_tarpman, reported by Apache23:36
ogra_why would it23:36
ogra_its still the same version, just with a backported security fix23:36
ogra_(the package version changes though, it gets a suffix bump for the .1 suffix)23:37
soulisson_I'm really new to this, what does it mean to be backported?23:37
ogra_the fix gets taken from the newer version and added to the one that is in the release23:37
tarpmanto add to that, some people oppose including the exact package version in the apache version reported over the internet, because bad people could use that to decide which attacks to attempt on you23:38
soulisson_ogra_, ok, so when a vulnerability is found Apache, Apache releases a new version of its product?23:39
ogra_they release a fix to the vulnerability ... most likely for the most recent version23:40
RoyKand then that fix is applied to the older version, if possible23:40
soulisson_ogra_, RoyK, ok, I see23:41
RoyKnot all fixes are backportable, some are design changes, but most fixes gets backported23:41
ogra_well, security fixes usually get backported :)23:42
RoyKogra_: my point, but some issues may need to be fixed by design changes23:43
ogra_and some depend on newer features23:43
RoyKogra_: with RHEL, we see that with cryptography changes, where redhat doesn't backport the changes to take out weak ciphers or methods or hashes. I'm not sure how that applies to debian/ubuntu23:44
ogra_heh, me neither, you have to ask the security team :)23:44
* RoyK dislikes working with redhat systems - no such thing as a do-release-upgrade23:45
ogra_though i think highly insecure ciphers would surely be dropped23:46
soulisson_Does Ubuntu Server provided the latest releases or does it only backport the fixes?23:46
* ogra_ looks forward to snappy on servers ...23:46
RoyKsoulisson_: only fixes are backported23:46
RoyKsoulisson_: if you want the bleeding edge, use 15.1023:47
ogra_i just upgraded my laptop to wily ... 2h wasted ... snappy could do it in 30min23:47
bekksogra_: Did you try it using snappy?23:47
RoyKogra_: heh - running on spinning rust?23:47
ogra_old XPS13 ... but slow internet (2MBit)23:47
* RoyK uses spinning rust for large data and loathes it for everything else23:48
ogra_bekks, nah, but i know that snappy has no separate packages and no maintainer scripts ... upgrading package by package (and coordinating all the interactions) is awfully time consuming23:48
soulisson_RoyK, Ok, so for intance if my server comes with let's say Apache 2.4.16, the Apache version will stay the same but the fixes will be applied23:49
bekksogra_: If snappy has no separate packages - it wouldnt work I guess :)23:49
ogra_a snappy desktop would perhaps consist of 100 packages ... and have no delay for package configuration23:49
bekksogra_: It has separate packages, but a different package management system.23:49
ogra_whereas my laptop upgraded ~2500 packages, downloaded each of them and configured each of them23:49
ogra_bekks, i know, i work on it ;)23:50
ogra_the point is that snaps have more bundled in them ...23:50
RoyKsoulisson_: right23:51
ogra_and no delay after install ... they just get dumped in place ...23:51
soulisson_RoyK, ok, thanks for the help23:51
ogra_soulisson_, if you need to check if a certain security hole was fixed http://www.ubuntu.com/usn/ has all the links to the respective trackers and info pages23:52
soulisson_ogra_, thanks23:53

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!