=== Lcawte is now known as Lcawte|Away
=== InfoTest1 is now known as InfoTest
=== waspinator_ is now known as waspinator
[04:55] <hallyn> zul: ping, pls to comment on bug 1513367
[04:55] <ubottu> bug 1513367 in libvirt (Ubuntu) "qemu-system-x86_64/kvm-spice failed to boot a vm with appmor enabled" [High,New] https://launchpad.net/bugs/1513367
=== cpaelzer_ is now known as cpaelzer
[08:12] <nayKang> NFS client cause high load average low cpu usage
=== Lcawte|Away is now known as Lcawte
[09:29] <lordievader> High IO-wait?
=== _ruben_ is now known as _ruben
[11:41] <zingz0r> Hi!
[11:42] <zingz0r> I'd like to backup my server with rsync and I like to know which folders should i backup before upgrade server?
=== Downtime is now known as Uptime
[11:50] <rbasak> zingz0r: I would back up *everything*. Makes a rollback really easy.
[11:51] <rbasak> (well, relatively)
[11:51] <rbasak> zingz0r: see /proc/mounts and the rsync -x option.
[11:51] <rbasak> You'll want to grab every real filesystem on your system, but not the virtual ones.
[11:54] <zingz0r> okay
[11:54] <zingz0r> thank you
[12:19] <hateball> zingz0r: fwiw, I tend to clone the entire disk (clonezilla) before making big changes. Or snapshot if virtual
[12:19] <hateball> less headache than missing that one vital file
[12:21] <zingz0r> rsync -aAXv --exclude={"dontneeded folders","1","2"} /* /backup
[12:21] <zingz0r> its okay? dsnt?
[12:44] <lordievader> zingz0r: You could also checkout dirvish, it uses rsync underneath.
[13:01] <coreycb> jamespage, can you promote ceilometer from trusty-kilo-proposed?  testing is complete.
[13:01] <coreycb> jamespage, can you also promote python-saharaclient from trusty-liberty-staging?  testing is  complete for that too.
[13:20] <T3DY> :)
[13:26] <T3DY> dw1.xyz
[13:44] <jamespage> coreycb, ack on it now
[13:47] <AtuM> when will Ubuntu get teaming for network? I can't find packages for "libteam" or "teamd".. but I can create a team using ip tools..
[13:50] <dw1> aww ye
[13:55] <rbasak> cpaelzer: in https://git.launchpad.net/~ubuntu-server/dpdk/commit/?h=ubuntu-xenial&id=b5b9a5d95a9ee17fff1642f41c78e112a0aabbc4 why add /usr/bin to the PATH if the goal is to avoid dependency on /usr?
[13:57] <rbasak> AtuM: back in April, apparantely. https://launchpad.net/ubuntu/+source/libteam
[13:57] <rbasak> No idea if it works though.
[14:08] <AtuM> I've tried to install in on 14.04.3.. probably need to wait for the next lts
[14:11] <rbasak> Well, 14.04 was released before last April.
[14:12] <rbasak> If you don't want to update to the latest release (understandable for LTS-ness), then a consequence is that you don't generally get to enjoy the latest features.
[14:14] <cpaelzer> rbasak
[14:14] <cpaelzer> rabasak, sorry for prematurely pressing enter :-)
[14:15] <cpaelzer> rbasak, the intention after some disussion was to avoid the same bug showing up again in case one doesn't remember some day and adds a piece to the init script
[14:16] <rbasak> cpaelzer: is there any way we can test directly instead, say using dep8?
[14:16] <cpaelzer> rbasak, the reason why we not "just added the path" alone was that others suggested /usr could not be mounted in rare cases
[14:18] <cpaelzer> rbasak, once we have a way to safely derive all binaries called from a shell script the rest would likely be easy
[14:19] <rbasak> cpaelzer, smb: would it be possible to have a dep8 test that requires virt isolation, checks that there is exactly one mount, restarts the service and checks that there is exactly one mount again?
[14:21] <smb> rbasak, maybe...
[14:26] <cpaelzer> rbasak, but that test would only cover one specific symptom of the underlying issue
[14:26] <rbasak> cpaelzer: what's the underlying issue?
[14:27] <cpaelzer> rbasak, that referring to /usr/ binaries needs a PATH to there set, and even if it is it could sometimes break if /usr is not yet mounted at the time being executed
[14:27] <rbasak> cpaelzer: I disagree. I'd say that the underlying issue is that the service start is supposed to make sure that hugetlbfs is mounted, and it doesn't. That's the functionality expected, so we should test for that.
[14:28] <rbasak> cpaelzer: similarly we should test any other functionality we add in packaging if we can.
[14:28] <cpaelzer> rbasak, ok from a "function test" POV thats right
[14:28] <rbasak> cpaelzer: it's true that if /usr isn't mounted then that could fail
[14:28] <rbasak> As in false negative
[14:28] <rbasak> As the dep8 test won't be unmounting /usr
[14:29] <rbasak> And I admit that that is a case that probably isn't worth testing as it's too convoluted to test easily.
[14:29] <rbasak> But we should be able to test the basic functionality.
[14:29] <cpaelzer> rbasak, from your suggestion I'd even say start with no hugepages mountpoint and execute the init sript two times
[14:29] <cpaelzer> it should be there after the first call
[14:29] <cpaelzer> and it should still be there but only once after the second
[14:29] <rbasak> Yeah that would be fine. It depends on how you orchestrate the test.
[14:30] <rbasak> If you add the package as a test dependency, then the test running framework will already have run the postinst and thus the init script once I think.
[14:30] <rbasak> OTOH you could choose not to list it as a test dependency and install it manually.
[14:36] <cpaelzer> rbasak, to sum things up for the review of smb's upload request - do you want us to add such a test before accepting it?
[14:37] <rbasak> cpaelzer: yes please.
[14:37] <smb> bugger
[14:37] <rbasak> Does that hold anything up?
[14:38] <jamespage> coreycb, is the ceilometer update in vivid as well?
[14:38] <smb> rbasak, It holds up my getting rid of it for Xenial
[14:38] <cpaelzer> it holds up smb getting rid of it :-)
[14:38] <cpaelzer> and dpeending on how long it takes the MIR processing
[14:38] <cpaelzer> but I guess they trust us when we say dependency gets remove
[14:38] <cpaelzer> d
[14:38] <smb> cpaelzer, Also it becomes a little more complicated to properly do now that git is pushed with tags
[14:39] <rbasak> smb: don't worry about the tag. It's nowhere official yet. You can delete the tag with git push --delete
[14:39] <smb> cpaelzer, More or less open a new version and create the upload in a way containing both version changelogs
[14:39] <smb> rbasak, also in lp git?
[14:39] <cpaelzer> smb, I really think this can just be another spin of ..ubuntu2
[14:40] <rbasak> smb: even in lp git. It's just a random repo currently, not official anything. Nothing git is officially tied to packages yet anyway.
[14:40] <coreycb> jamespage, no.  arges, can you promote ceilometer from vivid-proposed today?
[14:40] <smb> rbasak, for some reason I assumed lp git makes it hard to delete tags
[14:41] <jamespage> coreycb, I normally gate on the main SRU process completing first...
[14:41] <smb> rbasak, if that is possible then it might be just a respin
[14:41] <coreycb> jamespage, yep, I'll ping you when it's in vivid-updates
[14:41] <rbasak> smb, cpaelzer: everything else looks fine to upload in the current tree, assuming it all works. I haven't tried a test build to see the result of https://git.launchpad.net/~ubuntu-server/dpdk/commit/?h=ubuntu-xenial&id=0c85a8e0d245f7d0d32999489b088b559c40153e so I'm assuming it's OK too.
[14:41] <smb> rbasak, I did build the tree version
[14:42] <smb> rbasak, in both xenial and wily
[14:42] <rbasak> smb: it's really easy to delete git tags. So yes you should be able to update the proposed ubuntu2.
[14:42] <smb> though I won't backport the font change to wily
[14:42] <smb> rbasak, normal git yes, I just was not sure about lp's implementation there
[14:43] <rbasak> lp doesn't seem to object to any kind of force push.
[14:43] <rbasak> It seems to work as if I had a remote ssh server with no surprises.
[14:44] <rbasak> Though it would be nice if I could restrict force push to team admins or something to prevent accidents.
[14:45] <smb> rbasak, ok, have not tried. maybe we use a stricter set of rules for the kernel. just remember hearing it being said to be hard. Not tried that either
[14:46]  * smb wonders whether cpaelzer would volunteer for the dep8 thing since he did all the discussion on it already (and I am currently tied up in something else)
[14:49]  * cpaelzer is willin to start a battle who is more tied up with smb
[14:49] <cpaelzer> smb is there an online app for drawing straws?
[14:49]  * smb checks the appstore
[14:51] <cpaelzer> smb it seems it isn't today or tomorrow for either of us - lets discuss monday morning
[14:51] <smb> cpaelzer, maybe we can quickly sync on the busy state tomorrow and see
[14:51] <smb> or that
[14:51] <cpaelzer> we can even make remote hangout straw drawing if we want
[14:51] <jamespage> coreycb, saharaclient -> proposed for liberty
[14:52] <coreycb> jamespage, thanks
[14:54] <rbasak> roaksoax: it looks like freeipmi quite badly needs a merge this cycle. I know MAAS has been involved with it. Will this impact you?
[14:54] <rbasak> Or do you want to take on the merge?
[15:00] <roaksoax> rbasak: no shouldn't impact me at all
[15:00] <rbasak> roaksoax: OK thanks
=== Piper-Off is now known as Monthrect
[15:16] <rbasak> matsubara: around? I'm looking for the test case reviews I was asked to do but I can't seem to find them. The URLs from the meeting 404.
[15:22] <matsubara> rbasak, they might have been deleted.
[15:22] <matsubara> rbasak, would have to ask psivaa and om26er
[15:24] <matsubara> rbasak, I asked psivaa in #ubuntu-devel.
[15:46] <jge> Hey guys, good morning. I'm trying to install a specific version of nginx with 'nginx=version' but I get a bunch of umet package dependencies, it will always try to install the most recent candidate version for dependencies. Any way of telling apt to grab the necessary versions to meet these dependencies without doing it manually?
[15:51] <rbasak> jge: installing old versions means that you're effectively opting out of security updates and installing a vulnerable deployment. Is that really what you want?
[15:52] <rbasak> jge: I'm not sure how exactly to get apt to do that, but adjusting pinning and scores might be able to achieve it, I'm not sure.
[15:56] <jge> rbasak: well, what I do is install the version I want then bring this version up to the most latest security version out there.
[15:56] <jge> I only do security updates
[15:56] <rbasak> You won't get security updates if you have to force apt around.
[15:57] <teward> ^ that
[16:00] <Yossarianuk> hi - in order to get mkhomedir with freeipa-client working in Ubuntu I have to edit the fie -> /etc/pam.d/common-session and add the line - session required      pam_mkhomedir.so  skel=/etc/skel umask=0022
[16:00] <Yossarianuk> this is ok however is there a danger my change will be overwritten ?
[16:00] <Yossarianuk>  (on a update, etc)
[16:00] <Yossarianuk> ts odd though - that file was brought in via the freeipa-client package (or dependency) but dpkg -S /etc/pam.d/common-session shows no package ...
[16:00] <Yossarianuk> dpkg-query: no path found matching pattern /etc/pam.d/common-session
[16:01] <Yossarianuk> why is that ?
[16:01] <jge> rbasak: so just to be clear, if I use apt-get install package=version and then try to use unatendded-upgrades with only security updates allowed it wont work?
[16:01] <Yossarianuk> same for ->  dpkg -S /etc/sssd/sssd.conf
[16:01] <Yossarianuk> dpkg-query: no path found matching pattern /etc/sssd/sssd.conf
[16:01] <jge> and by working I mean, will no longer get security updates
[16:01] <Yossarianuk> (these packages are in the default Ubuntu 14.04 repo)
[16:02] <rbasak> jge: I can only say that it may not work. I can't say for certain that it won't. But it isn't a supported path to use anything but the latest version of a package visible to apt.
[16:02] <rbasak> jge: if you have some reason to use an older version, then we should address that, rather than trying to plaster over it.
[16:03] <rbasak> Yossarianuk: policy says that upgrades should never stomp on changes you make manually in /etc. However there could be a bug in implementation of course.
[16:04] <rbasak> Yossarianuk: you may need to manually merge changes during an update though, since scripts can't generally automatically work out what you mean and apply that to a newer version of the file.
=== rattking_ is now known as rattking
[16:04] <rbasak> Yossarianuk: not all files in /etc will be known by dpkg. There is default handling, but packages can also generate and manage files themselves in maintainer scripts and in that case dpkg doesn't see them.
[16:05] <rbasak> jge: put another way, security updates bump the version number to one higher than all previously published in a given series. So if there is some reason to have an old version, that is already lower than a future security update.
[16:06] <rbasak> jge: so it makes no logical sense to have an older version and also expect security updates.
[16:06] <rbasak> Security updates are applied on the latest version for a given series.
[16:10] <jge> rbasak: hmm ok, so how come I'm seeing this security update on the last version? https://zerobin.net/?a5b3111921fb5a1e#ovjqbTtQT0x62l64nqvirXQEVFVCGcNVGUrkEuIqTY4=
[16:10] <teward> ehehehehe
[16:11] <teward> jge: trusty-security is the security updates
[16:11] <teward> trusty-updates is the 'updates' that happen to fix bugs
[16:11] <teward> (non-security in nature)
[16:11] <teward> if you want only security updates then you should not have -updates enabled
[16:11] <teward> but you will miss bug fixes and other issues
[16:11]  * teward would know the nature of that package since he is the 'maintainer' of it in Ubuntu now
[16:11] <jge> Yeah I'm aware of this
[16:12] <jge> i do not have updates enable, I use unattended-updates with security origins only allowed
[16:12] <jge> enabled*
[16:13] <jge> maybe I'm not explaining myself all that good :D
[16:13] <jge> let me try it again..
[16:13] <rbasak> jge: start with explaining why you are installing an older version.
[16:13] <Yossarianuk> rbasak: thanks for the explanation
[16:14] <Yossarianuk> still unsure why the line isn't added by default -  it is in the Fedora/rhel packages.
[16:14] <Yossarianuk> I guess backing up the files regularly will be a good plan.
[16:15] <rbasak> Yossarianuk: it's reasonable to expect that install a PAM module will enable it automatically. I'm not sure that's necessarily a good idea though; it's fraught with danger.
[16:15] <rbasak> Also you might be installing a PAM module for a particular case but not want it in the general case, in which case adjusting common-session would be the wrong thing to do.
[16:16] <rbasak> For example I use libpam-google-authenticator but only with ssh and not common-session.
[16:17] <jge> rbasak: I would like to keep a consistent version across all servers, I wouldn't like someone to build a server and just install the latest out there. This will cause different versioning of software cross our fleets, so my idea was to install a base version shipped with 14.04 LTS and then bring this version to the latest security version
[16:17] <jge> hope that makes better sense :(
[16:17] <rbasak> jge: that's a reasonable thing to want to do.
[16:17] <Yossarianuk> rbasak: cheers again !
[16:17] <rbasak> Yossarianuk: no problem! I hope that was helpful.
[16:18] <rbasak> jge: an easier way might be to install without -updates or -security enabled at all.
[16:18] <rbasak> jge: and *then* enable -security only if you wish.
[16:18] <jge> yep that's what I currently do
[16:18] <Yossarianuk> aside from having to modify that and /etc/sssd/sssd.conf (to add sudo to services) the ipa-client package works fine in the default ubuntu package (in 14.04 at least)
[16:18] <rbasak> So then you shouldn't need apt to force versions?
[16:19] <jge> rbasak: thing is that when I build a new box, and use apt-get install nginx, it will always install the latest (candidate) version
[16:19] <rbasak> jge: not if it doesn't have -updates or -security enabled.
[16:19] <rbasak> jge: then it'll install the release pocket version only.
[16:20] <rbasak> jge: when I say "enabled", I mean "visible to apt via sources.list".
[16:22] <jge> rbasak: that's what I thought too, I did a fresh install last night and checked the candidate version and it has 3.3 as candidate
[16:22] <jge> which is the latest
[16:22] <jge> maybe because I did a apt-get udpate?
[16:22] <rbasak> I don't think you have tuned your sources.list
[16:22] <rbasak> Look at the output of "apt-cache policy" and it'll tell you where it is picking up 3.3 from.
[16:23] <rbasak> 3.3 is in trusty-updates only, therefore you must have it enabled.
[16:23] <teward> ^ that
[16:23] <teward> (which is what I was saying xD)
[16:24] <jge> hmm ok, I see what you're saying
[16:24] <jge> let me check
[16:25] <teward> though I strongly recommend using the version *in* updates... if only because there's a fairly huge initscript pidfile extraction fix
[16:25] <teward> it didn't qualify as a security bug, but it was a fairly huge issue
[16:26] <teward> (lots of bugs on it)
[16:26] <jge> damnit, I thought during the installation there was a prompt to turn updates off
[16:26] <jge> i have them enabled :*
[16:27] <teward> jge: there's the problem then :)
[16:28] <teward> though keep in mind what I did just say - there's a pidfile extraction fix in the initscript, so if you have complex regex or such in the nginx configurations it can completely fail
[16:28] <jge> YESSSS now i see candidate only coming from trusty-security which is the same version I have in production
[16:31] <jge> i'm wondering now why you would use unattended-upgrades with only security updates enabled, when you can just disable regular udpates on your sources.list?
[16:31] <rbasak> You might want an attended update from -updates :)
[16:33] <jge> that's true.
[16:34] <jge> so now that only security updates are allowed, if I run "apt-get upgrade" on this box it will only do security updates correct?
[16:34] <jge> or in this case candidate version from trusty-security
[16:36] <teward> right
[16:36] <teward> but you won't be able to install from -updates, now
[16:36] <teward> even manually
[16:36] <teward> (because the system now doesn't realize there's items in that repository)
[16:36] <jge> understood
[16:37] <jge> rbasak, teward: you guys are great, thanks for your help.
[16:39] <rbasak> No problem.
[16:40] <teward> that's what we're here for :)
[16:40] <teward> rbasak: FYI: nginx merge stalled, i'm running into package conflicts that are headaches (the fact I have to do it from source packages directly rather than a nice VCS / UDD approach for it is causing headaches)
[16:41] <teward> manual pushes later won't be an issue, it's just the initial merge to the 1.9.x branches that're giving headaches :/
[16:41] <rbasak> teward: I use git: http://www.justgohome.co.uk/blog/2014/08/ubuntu-git-merge-workflow.html
[16:41] <rbasak> (for merges)
[16:41] <teward> *steals*
[16:42] <teward> rbasak: thank you kindly!  (bzr != option because the Xenial code branches aren't available... which hampers those of us who use the UDD process)
[17:09] <rbasak> jcastro: ^
[17:19] <rbasak> teward: let me know if you need any help with that
[17:19] <rbasak> teward: the future will be dgit I think. See https://lists.ubuntu.com/archives/ubuntu-devel/2015-November/039010.html
=== Monthrect is now known as Piper-Off
[17:29] <jge> so now I'm stuck with an ansible playbook which does not support "apt-get upgrade", only supports aptitude. Someone suggested using the "hold" parameter to achieve the same behavior, but I'm not familiar with aptitude. Anyone know how this can be done?
=== thumper is now known as thumper-afk
=== thumper-afk is now known as thumper
[23:18] <grendal_prime> ok im trying to set up an email server..."zimbra" to be exact...i aparently have totally lost all understanding of how dns works?
[23:19] <grendal_prime> the zimbra server is behind a linux software router using iptables. I have opened ports 110 25 and995 and forwarded those ports to the zimbra server.
[23:20] <grendal_prime> I have pointed my mx record at netsol to my ip address
[23:20] <trippeh_> mx has to point to a name
[23:20] <trippeh_> then name points to ip address
[23:21] <grendal_prime> when i run the config for zimbra it complains about DNS ERROR - none of the MX records for mail.mydomain.com resolve
[23:21] <grendal_prime> ok..so if my domain is mydomain.com...and it points to the correct ip..
[23:21] <quantic> MX records cannot point to an IP. They must point to an A or AAAA record.
[23:21] <teward> grendal_prime: DNS entry: mail.mydomain.com A yourip
[23:21] <teward> MX points to mail.mydomain.com
[23:21] <teward> but note if the IP is dynamic and on a residential provider you may get blacklisted
[23:22] <teward> so then mail isn't sent/received
[23:22] <teward> (and your ISP may block as well)
[23:22] <quantic> (almost definitely.)
[23:22] <grendal_prime> oooo ok im pointing it to mail.mydomain.com and i just have an a record of mydomain.com
[23:22] <teward> grendal_prime: yeah, wheverver the MX points must resolve
[23:22] <teward> for example..
[23:22] <grendal_prime> no its b2b comcast
[23:22] <quantic> Also, an MX record cannot point to a CNAME. It MUST be an A record.
[23:22] <teward> 'b2b' = ?
[23:22] <teward> quantic: or AAAA
[23:22] <grendal_prime> comcast built 4 business..
[23:23] <quantic> teward: I figured that was sort of implicit. :P
[23:23] <grendal_prime> sorry b4b
[23:23] <teward> ah
[23:23] <teward> quantic: :P
[23:23] <grendal_prime> if i run a test from http://www.websitepulse.com/help/testtools.mx-lookup-test.html it does resolve...werid
[23:23] <quantic> grendal_prime: what's the domain name in question?
[23:24] <grendal_prime> quantic sent to you prvt
[23:25] <grendal_prime> cause its a secret...just kidding...
[23:25] <quantic> grendal_prime: current records look OK.
[23:26] <grendal_prime> ya i just changed them
[23:26] <trippeh_> local dns cache may be outdated then
[23:26] <grendal_prime> now here is the thing, it use to be a gmail hosted domain
[23:27] <grendal_prime> if i send something to that account now though and i log into it, it never comes through so im assuming thats not working anymore
[23:30] <grendal_prime> ok
[23:31] <grendal_prime> so the zimbra install is trying to resolve booksnmore.com but it is aparently unable to do so because it just comes back to say it cant do this.
[23:32] <grendal_prime> if i log into the box second ssh session and ping from there it resolves correctly ..
[23:32] <grendal_prime> host name of the email server would need to be "booksnmore.com" correct?
[23:35] <grendal_prime> so hosts file would be.... firstline 1127.0.0.1 localhost.localdomain localhost  second line 192.168.100.100 booksnmore.com
=== IdleOne- is now known as IdleOne
[23:46] <RoyK> grendal_prime: 1127.0.0.1 seems like a rather wierd address ;)
[23:46] <grendal_prime> sorry two many 1s...thats its really just 127
[23:47] <grendal_prime> zimbra gives examples of zimbra.booksnmore.com
[23:47] <RoyK> grendal_prime: do you have a DNS entry for that server?
[23:47] <grendal_prime> i have one for booksnmore.com
[23:48] <RoyK> grendal_prime: then you should not need a hosts entry
[23:48] <quantic> RoyK: iirc, zimbra demands that they exist.
[23:48] <grendal_prime> do i need to create another a record of like...zimbra.booksnmore.com  and then point the mx record to that?
[23:48] <RoyK> quantic: yeah
[23:49] <sarnold> does zimbra demand that forward and reverse lookups need to match?
[23:49] <RoyK> sarnold: no
[23:49]  * RoyK uses zimbra without a reverse
[23:49] <sarnold> aha
[23:49] <grendal_prime> ok RoyK
[23:50] <RoyK> grendal_prime: there may be more help in #zimbra - last I checked, zimbra isn't packaged with ubuntu
[23:50] <grendal_prime> so if i have booksnmore.com and it resolves for all other services..i should be able to make an mx record for just booksnmore.com correct?
[23:51] <RoyK> booksnmore.com.		7200	IN	MX	10 booksnmore.com.
[23:51] <RoyK> ooks ok
[23:51] <RoyK> looks ok to me
[23:51] <grendal_prime> ok
[23:51] <grendal_prime> what do you use to check that by the way..
[23:52] <RoyK> dig mx yourdomain.com
[23:52] <grendal_prime> im using a service but i would like to just ping it somehow
[23:52] <grendal_prime> oh it is dig ok thanks
[23:56] <grendal_prime> ok so at my router then i need to forward ports...25, 110  to the zimbra sever