/srv/irclogs.ubuntu.com/2016/03/11/#ubuntu-server.txt

hallynuh, that patch is bogus though.  it takes a const char *perms and then updates it01:37
hallynok, another try02:18
=== Guest38484 is now known as mfisch
=== mfisch is now known as Guest13749
hallynrharper: ppa:serge-hallyn/virt package built02:46
rharperk02:47
hallynthough the ppa view is still confused02:47
hallynmake sure to get 1.3.1-1ubuntu7~ppa6, not 5.  (5 failed to build so shouldn't e available, but...   this is confused)02:48
hallynoh there, finally updated02:48
hallynoh screw libvirt.  now i get 'domain not running'  no idea what that's about02:52
hallynoh, heh, wrong domain name02:52
hallyndidn't fix the problem for me :(02:54
hallynstill might push the pkg i have bc it has several important fixes02:55
hallynoh, blah.  do i have to use 'R' also when depth == 0?03:00
hallynungh, i see03:00
hallynrharper: yeah if you haven't yet don't waste your time, one more update to my patch03:00
rharperI've not yet03:01
rharperso I shall wait some more03:01
hallynactually, maybe i can avoid doing the change when depth == 0.03:01
hallynif i have a qcow2 stack and the top part of the layer is reasonly, *then* maybe i really want to deny writes ?03:02
hallyndon't think so though, just unhappy with needing this relaxation03:02
hallyn^ do you get the feeling we should have someone who knows what they're doing taking over libvirt? :-)03:03
hallynok another 25 mins hopefully03:03
rharperheh03:04
rharperok03:04
hallynyay, success03:24
hallynand all without having a working mouse today :)03:24
hallynof course i don't actually *want* my uvt-kvm base image updated03:24
hallynrharper: ok it's working for me so i'm going to push the pkg to xenial, no need for you to test unless you wnat to03:25
hallynthx03:25
=== devil is now known as Guest90181
=== Sprockt is now known as Sprocks
hardwireahha.. you can select an ubuntu-server-minimal preseed06:11
hardwirethat's handy.06:11
=== dax is now known as daxcat
=== Guest90181 is now known as devil_
hallynrharper: so regarding bug 1393842 I'm trying to find where qemu, for q guest agent, ever does an mknod, and not finding it.  Thinking I may have to undo that part of the fix in comment #40.07:45
ubottubug 1393842 in libvirt (Ubuntu Trusty) "libvirt does not grant qemu-guest-agent channel perms" [High,Confirmed] https://launchpad.net/bugs/139384207:45
hallynthough the error msg incomment 14 seems pretty clear....  but i'm not getting it07:47
hallyn(my concern is, if it's not supposed to mknod, then i'd rather not grant it that capability in apparmor profile for no good reason)07:48
zetheroousing Ubuntu 14.04 here. In a user's home directory there is a file which has user and group ownership by root. It's also read-only to any user that is not the owner. If I login as a user (not root) and open the file with vim I can then edit and save the file without using sudo. When I do this the file is saved and it's ownership changed to the user I am logged in as (not root).09:51
zetherooThis seems like a security vulnerability. How to stop this?09:52
jushurzetheroo: encryption file?11:01
zetheroojushur: I found a solution - using chattr11:02
zetherooits a very specific case and I was not aware that whoever owns the directory can do whatever they want with the files inside, even if the files are owned by root and only owner has write perms to the file.11:03
zetherooNow I know ...11:03
lordievaderzetheroo: That shouldn't be possible. It shouldn't matter who owns the dir. If you have write acces to a file you can write to it. If you don't you cannot write to it.11:16
zetheroolordievader: apparently this is not how linux perms work11:16
jushuractually it is, tho you can technicaly as your user change the permission and owner/group on a file so only root can access it.11:17
lordievaderzetheroo: It is, I just tested it. Vim is not able to edit a file owned by root.11:18
jushurand in that moment your user loses the rights11:18
zetheroolordievader: is the file in a users home directory?11:18
lordievaderOeh, interesting when using the overwrite (:w!) it is able to write it...11:19
zetherooyep11:19
Deepshttp://paste.ubuntu.com/15346744/11:19
zetheroolike I said, the only solution I found was to use chattr +i on the file (done as root)11:20
Deeps1119.11 < lordievader> Oeh, interesting when using the overwrite (:w!) it is able to write it...11:20
Deepsit deletes the file11:20
Deepsand recreates it11:20
Deepsnotice the perms have changed to be owned by your user11:20
zetherooyep ^11:20
Deepsbecause your user owns the dir, it can create/delete files11:20
jushurrofl11:20
zetheroothis really stumped me, and nearly everyone else I talked about it with :D11:20
Deepsvim override: http://paste.ubuntu.com/15346753/11:21
Deepsgeneral file operations: http://paste.ubuntu.com/15346744/11:21
lordievaderDeeps: It doesn't it points to the same block. And besides why can I remove a file owned by root.11:22
Deepslordievader: because you own the dir, so you can do whatever you want to anything inside that dir11:22
Deepsi can't speak for whether or not this is by design, but it certainly looks like that's how it operates currently11:23
lordievaderHmm, interesting.11:23
Deepsbut this would be why root owns / and changing the owner of / would be badnewsbear11:23
zetherooyes, and why user root can edit everything under / because it owns /11:24
zetherooif John Smith owns /home/johnsmith/ then he too can edit anything under /home/johnsmith/ regardless of who else may have gotten ownership to the file11:25
lordievaderThat makes sense, guess I learned something today :)11:26
zetheroome too :)11:26
skyliteI have to clear out a folder thats full of hardlinks. I dont care which one is deleted I just want to have only one of each file without any hardlinks. Anyone has a sollution for that?11:41
rbasakI don't think that's easy. You could create a file containing inode number and path, and then do some keyed sorting and uniq'ing on that.11:56
skyliteI think I better write a shellscript for this12:58
mdeslaurrbasak: are you still working on squid3?13:25
rbasakmdeslaur: yes but task switched away from it for the moment.13:31
rbasakThe version in xenial-proposed may be good to go, except for one bug reported by Odd_Bloke bloke I think, and needs some testing against squid-deb-proxy and squidguard.13:31
rbasakkickinz1_ was going to do some testing on it for me.13:32
mdeslaurrbasak: ok, good to know. Just checking up to make sure the new version is eventually going in, for security reasons.13:32
mdeslaurrbasak: thanks!13:32
rbasakIt's still planned to go in, yes. Thanks for checking.13:32
pezet91hello, anyone can install LSI MegaRAID SAS driver on ubuntu server?13:43
jushur!ask pezet9113:44
jushur!ask | pezet9113:44
ubottupezet91: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience13:44
patdk-wksure13:45
pezet91i looking for driver for LSI MegaRAID SAS controller, becauce current driven in kernel 3.8 don't see my sas disk (sorry for my english)13:46
pezet91driver*13:46
pezet91specification: Fujitsu Primergy TX2540 M1, MegaRAID SAS controller, Ubuntu Server 14.04 (kernel 3.8)13:48
patdk-wkand lsipci shows?13:49
pezet91lsipci: command not found :/13:50
patdk-wklspci13:51
pezet91lspci | grep Mega : RAID bus controller: LSI Logic / Symbios Logis MegaRAID SAS-3 3008 [Fury] (rev 02)13:52
pezet91i can't rewrite entire log13:53
rharperhallyn: have we reproduced?  I don't see a  full guest xml or qemu command line;  qga makes a unix-socket, which I don't think needs mknod;  if they're using virtfs-9p; it could have proxied a mknod request from the guest;  other than that; I'm not currently seeing any qemu code that needs mknod13:55
jushurpezet91: rewrite? you copy or pastebin if its multiline13:56
jushurpezet91: Symbios Logis MegaRAID SAS-3 3008 is that truly a 3008? or is it 3080?13:56
pezet91300813:56
pezet91i can't copy, because i have ubuntu server on other machine13:57
pezet91only console13:57
jushur!pastbin | pezet9113:58
pezet91wait13:58
pezet91http://pastebin.com/EJHzH53d14:00
jushurpezet91: you sure it uses the megaraid_sas driver? and not mpt3sas ?14:00
pezet91i'm not sure14:01
jushurpezet91: do you have physical access to the card? cna read its sticker/name on it?14:02
pezet91yes i have physical access14:02
pezet91wait, i need to open the case14:03
pezet91http://www.fujitsu.com/fts/products/computing/servers/primergy/components/pmod-157814.html , it's my card14:04
jushurPRAID CP400i (D3307) (PCIe to 8-port SAS-3.0 RAID HBA (LSI 3008)) (driver megaraid_sas)14:06
pezet91yes, but if I type "modprobe megaraid_sas", it's don't work14:08
pezet91i can't see my disks14:09
jushurpezet91: check dmesg for info14:09
sdezielpezet91: you said you have  Ubuntu Server 14.04 and kernel 3.8. Any idea why you are not on the 3.13 kernel?14:09
pezet91i can't use kernel 3.13 because i have video grabber in server (grabber works only with kernel 3.8)14:10
pezet91joshur: last line on dmesg: [ 3141:670846] megasas: 06.504.01.00-rc1 Mon. Oct. 1 17:00:00 PDT 201214:11
pezet91so? anyone can help me? I struggle with this problem for a week :(14:15
jushurpezet91: my tip would be turn it off, disconnect the system drive and any important data drives. so you dont destroy any data. (dcoument/tape any cables so you know what goes where.) then use a live usb install and start the system to se wht works and what does not. try the new 16.04 beta to. and se if that can handle it.14:18
pezet91ok14:21
pezet91thanks14:22
jushurpezet91: use a seckond usb drive/stick to save logs to. from each test. so yuo can compare.14:22
jushurpezet91: do the sas card show the drives connected when you boot up? like its integrated firmware does recognice thme?14:23
RoyKpezet went... well - if he comes back, he may be told that this type of controller isn't an HBA, so to see the physical disks, they need to be defined in the controller somehow, either as a hwraid or in JBOD-mode (if supported) or as a single RAID-0 per drive14:36
jamespagecoreycb, ok 0 test failure for mitaka-staging - going to shove everything apart from the dashboard into proposed14:49
=== Guest13749 is now known as mfisch
=== mfisch is now known as Guest88074
=== Guest88074 is now known as mfisch
coreycbjamespage, awesome.  still the horizon issue though so maybe hold off on promoting that.15:01
jamespagecoreycb, ack skipped horizon15:01
ZeljkoAny free shell access ?15:05
kpettitHave a weird log issue.  I've got 2 Ubuntu 14.04 servers.  One the weblogs rotate and the other doesnt.  I have a 9GB log file for example.  Apparently it's never rotated.15:34
kpettitMy /etc/cron.daily/logrotate is the same as my other Ubuntu 14.04 systems that work.  And in the /etc/crontab it calls the daily crons like it's supposed to.15:35
kpettitSo I have no idea where to look to see why logrotate isn't running.15:35
kpettitI can run the cron job "sh /etc/cron.daily/logrotate" and it works manually.  So something is messed up with cron.  But it's identical to other working Ubuntu systems.  It's tripping me out and I'm not sure how to troubleshoot.  Any ideas?15:37
BlackDexHello there, i have a lot of messages in dmesg wich look like this: [  440.753544] init: <service-name> main process (10109) killed by TERM signal15:43
BlackDexwhere <service-name> are several services15:43
BlackDexwhat could be the problem??15:44
kpettitis it a low memory system?15:49
coreycbjamespage, I wonder if this is related: https://bugs.launchpad.net/horizon/+bug/155028616:09
ubottuLaunchpad bug 1550286 in Magnum UI "dynamic themes breaks compress offline" [Undecided,Fix released]16:09
jamespagehmm might be16:09
jamespageor its could be that our charm template for mitaka is foobar in the charm16:10
=== daxcat is now known as rwd
hallynrharper: yeah i think i'll drop that.  (and start upstreaming the other patches which arein xenial)17:27
hallyn(that being the mknod exception)17:27
rharperhallyn: and at least request the full command line17:27
hallynalthough yes i think i had reproduced at some point17:27
rharperor how to reproduce17:27
hallyni think you just create a rhel7 vm in virt-manager17:27
rharperthat could be documented17:27
rharperthat's not good enough17:27
rharperwe need to qemu cmdline17:28
rharperit they are adding other qemu features17:28
hallynit's good enough bc you can get your own command line and it fails to work17:28
rharperthose could e what's requesting the mknod17:28
rharperyeah, but why should I install virt-manager17:28
rharperat min, the subimitter can provide a full qemu commandline17:28
hallynbc it's something we "support"17:28
rharperI'm not saying we don't support it17:28
rharperit gets solved faster with the cmdline17:29
hallynrharper: http://paste.ubuntu.com/15349105/17:33
hallynso i'm dropping the mknod patch right now bc it doesn't even help. does that cmdline tell you what's going on?17:34
rharperhallyn: it helps17:35
rharperthere's a lot of spice17:35
rharperusb integration17:35
rharperlemme see what else is happing in qemu17:35
rharperthe additional spice agent and usbredir certainly can affect what it wants on the host17:36
hallynbut17:36
hallyntype=AVC msg=audit(1457717513.877:6035): apparmor="DENIED" operation="mknod" profile="libvirt-ecc5a333-8d61-4225-ae13-bd365d478725" name="/var/lib/libvirt/qemu/channel/target/domain-rhel7.0/org.qemu.guest_agent.0" pid=20477 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=116 ouid=11617:36
hallynoh nm.  i was misreading17:36
hallynweird line wrap, it looked like it was mknoding a diretory17:37
hallynas a chardev17:37
rharperI'm really confused because there's almost zero mknod in qemu17:37
rharper9pfs has mknod (as a proxy for allowing guest to mknod on host for 9p posix compliance)17:37
rharperbut no where else17:37
rharperchardevs use unix socket17:38
rharperwhich I don't think are created with mknod IIUC17:38
rharperI kinda feel that something else besides qemu is doing a mknod but under the qemu profile17:39
rharpermaybe libvirt ?17:39
rharperlibvirt tends to "create" resources and hand them to qemu17:39
rharperbut I don't know enough about the transition from the libvirt security profile to the qemu one (I guess exec boundary ) ?17:39
jdstrandnot libvirt17:40
jdstrandif I were to guess I would say it is a supporting library of qemu17:41
hallynwell how does this qemu guest agent crap work17:41
rharpervirtio-serial as a transport17:42
rharperthen using a QMP wire protocol17:42
hallynanyway, that ^ was with the patch which adds mknod if you have a qemu guest agent socket!17:42
rharperjdstrand: libc and more likely glib17:42
jdstrandrharper: fyi, libvirt does fork(), then aa_change_profile(), then exec()s qemu17:45
jdstrandwe should probably change that to fork(), aa_change_onexec(), exec()17:45
hallynlemme see if addingmknod to libvirt profile helps17:46
hallynno, it has it already17:47
hallynwell i guess my patch was wrong, bc i'm on 1.3.1-1ubuntu7~zfs7 and the domain did not have mknod.17:48
hallynoh the name doesn't even match17:50
hallynso maybe it would in fact work if i did strstr() instead of STREQ17:51
jamespagehallyn, hey - do you think the helper update to fix https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1513367 will happen anytime soon?17:53
ubottuLaunchpad bug 1513367 in libvirt (Ubuntu) "qemu-system-x86_64/kvm-spice failed to boot a vm with appmor enabled" [High,Triaged]17:53
jamespagein about ~1 week I'm going to start working on vhost-user support in the openstack charms, so I can help repro/fix/test whatever....17:54
hallynjamespage: i dunno, noone has even bothered to reply to your request for denied msgs17:57
rharperah, mkfifo does an mknod17:58
jamespageyeah i get the feel its a blind 'turn off apparmor for now'17:58
* rharper searchs more 17:58
hallynrharper: yeah but i can do that unpriv17:59
hallynjamespage: oh hold on, this is about dpdk.  Christian is working that;  i don't think i can help...18:04
hallynor is ist just another space-in-filename-confuses-virt-aa-helper bug18:05
hallynjamespage: why are you pinging me on this?  If you're able to reproduce this to the point where you can hand me a vm where i can easily reprodue this with a custom built debugging apparmor that would be helpful.18:11
hallynif not, is htis something you see mentioned a lot?  I actuallythought this was just one site with a custom install18:12
hallynlemme try this smbios weirdness here18:13
hallynno that works fine here18:17
hallynjamespage: ok well noone has reported DENIED msgs bc there are none to report...  doesn't get that far18:20
hallynjamespage: so i hate bugs like that bc it seems to confuse different error cases:  most of the bug they talk about an apparmor profile that failed to load.  but in comment #17 you suggest we might just need to add more perms;18:22
hallynaaah, virt-aa-helper itself is not allowed to look under /var/run18:23
hallynwhich would xplain both18:23
hallynand adding /var/run/** to virt-aa-helper is actually ok, not the same thing as adding it to qemu18:24
hallynjamespage: any chance you can push the reporter to test quickly?18:25
Free99ssl-cert setup seems to dislike that /etc/hostname is just "node-7"... is that a serious issue?18:38
bekksHow does it look like when ssl-cert dislikes that?18:45
Free99bekks, "hostname: Name or service not known \n make-ssl-cert: Could not get FQDN, using "Node-7"."18:47
bekksthen you have to setup a fqdn.18:47
Free99thing is, I'm using maas.. it won't let me set an FQDN :-[18:50
tarpmanit's just a warning though, I think? IIRC it doesn't prevent it making the cert18:52
bekksFree99: So set it manually.18:52
Free99sigh.. this is actually a symptom of a bigger issue. Maas has been a little rough around the edges, my guess is because of this18:54
Free99this=lack of fqdn18:54
Free99http://paste.linux.chat/view/d1664e8718:55
Free99failing cloud-init18:55
bekksAnd why dont you set a fqdn before invoking ssl-cert setup?18:55
Free99I can't figure out why this whole process is failing18:59
Free99it seems like postfix?19:00
bekksYour pastebin is unavailable. But postfox needs fqdn as well.19:00
bekksSo set a fqdn manually.19:01
Free99I'm not generating this config, Maas is... maas.io19:01
bekksSo where do you set the name of that thing "Node-7"?19:02
Free99bekks, http://paste.ubuntu.com/15349884/19:02
Free99I set it in the Maas webUI, but it won't let me type an fqdn, only hostname19:03
Free99weird right?19:03
bekksSo you cannot type "Node-7.test.local"?19:03
Free99nope19:04
Free99soon as you insert a period, the save button greys out... either going to have to modify the source or just do it via cli19:05
Free99but I wanted to see if anyone knew better beforehand19:05
=== rwd is now known as ro
coreycbjamespage, looks like django-compressor 2.0 is the fix for the openstack-dashboard install error19:44
hallynrharper: http://paste.ubuntu.com/15350345/  when I force the permission for the channel directory19:51
hallynjdstrand: http://paste.ubuntu.com/15350357/  what's wrong in this policy?19:51
jdstrandhallyn: owner "var19:58
jdstranduse owner "/var19:58
hallynd'oh20:12
hallynthanks20:13
rharperhallyn: I haven't dug any more; I just can't figure out where a mknod would come from (it's most likely a mkfifo for a char device) since mkfifo is a wrapper around mknod IIUC20:14
=== devil is now known as Guest86684
rharperas jdstrand possible from a helper library of qemu but it's not easily tracked down; cursory grepping of qemu and libvirt don't show much, I checked usbredir and spice ,but neither seem to have any either.20:15
rharperbut clearly something at least needs to maek the unix socket for the virtio-serial connection;20:15
=== Guest86684 is now known as devil_
=== devil_ is now known as devil__
jamespagecoreycb, awesome!20:20
=== JanC_ is now known as JanC
coreycbddellav, the global requirements list is frozen now for mitaka so we'll probably need to do one more pass through the dependencies before rc's come out20:50
ddellavcoreycb ok20:55
=== ro is now known as ezri
=== chmurifree is now known as chmuri
hallynrharper: jdstrand: ok, i managed to get the qemu-guest-agent thing working without mknod capability22:17
rharpernice22:17
rharperwth was the deal with mknod ?22:17
hallynjdstrand: do you mind if i just always add22:17
hallyn  owner "/var/lib/libvirt/qemu/channel/target/domain-rhel7.0/**" rw,22:17
hallynto the files?  (domain-$name)22:17
hallynbc i don't seem to be detecting it in the nchannels loop.  i don't know where it shows up inteh xml schema22:18
hallynfigure it should be private so no big loss?22:18
hallynjdstrand: ^and also do you mind if i add /var/run/** r to the virt-aa-helper profile?22:21
hallyn(for openstack reasons)22:21
jdstrandhallyn: that's fine, though I would use /{,var/}run/**22:29
jdstrandhallyn: is domain-$name vm-specific? ie, $name is the name in the domain xml? if so, that's fine22:30
jdstrandhallyn: re no mknod: nice! :)22:31
admin0how do i create a virtual bridge in ubuntu  that stays after reboot22:44
admin0should lo be in the bridge_port ?22:44
bekksadmin0: what are you trying to do, in first place?22:46
ChibaPetadmin0: man interfaces22:47
admin0i need a few local bridges on top of which i will provide internal network to my kvm hosts22:47
rattkingyeah do it in /etc/network/interfaces for a server, I have had endless trouble with bridge creation in networkmanager on a laptop22:49
admin0yes .. but since its virtual brige, what ports do I bind it to ?22:49
admin0br-int1 br-int2 .. both to lo ?22:49
lordievaderrattking: What kind of troubles?22:50
hallynjdstrand: yeah, name the domain name.  ok will do - thx, ttyl22:50
lordievaderadmin0: Whatever you want ;)22:50
admin0i mean it does not have to exist ?22:51
lordievaderadmin0: I usually have one real nic in the bridge and the rest are vm nics.22:51
admin0lordievader: that i understand .. that comes after the bridge is crated .. i do using brctl but that does not stay after reboot22:52
lordievaderadmin0: Do as people suggested, configure it in /etc/network/interfaces22:52
admin0i want to premanently create say 5 bridges, but having trouble if i should just use lo as port to all22:52
admin0lordievader: that i know ..  i am asking if people use lo in bridge_ports lo for all ?22:52
lordievaderYou could also let libvirt create the bridges for you.22:52
admin0or i need to create virtual lo:s ?22:53
admin0lordievader:  i did not went the libvirt way .. thanks !22:54
admin0will use the net-create in libvirt22:54
naccstgraber: looking at merging unbound again, as we're out of sync with debian already. You just did a merge, I've got the debdiff done and ready to go, do you have any advice on testing? I think it'll also need a FFe, as it's a new upstream version22:55
rattkinglordievader: my problems are probably caused by hotplugging since this is a laptop, on my servers everything works fine. but the issues are having to manually down the bridge before any network access will work after disconnecting the ethernet adapter. also I can never tell if the bridge will get a IP or not when I re-up it22:55
stgrabernacc: ping sdeziel, he'll happily test it for you :)22:56
naccstgraber: ok, thanks! :)22:56
lordievaderrattking: Ah, that sounds familliar. Got the same issues here. But I don't really mind it.22:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!