/srv/irclogs.ubuntu.com/2016/05/17/#ubuntu-server.txt

naccrcj: rbasak: https://git.launchpad.net/~nacc/ubuntu/+source/open-vm-tools00:57
naccrcj: rbasak: that is the result of the latest iteration of my script that imports the launchpad history with merges against the debian history for all version of the package01:04
naccrcj: rbasak: hrm, already found an issue, will debug it (the xenial history is incorrect/not indicating a merge correctly)01:12
naccrcj: rbasak: fixed that bug, deleted and recreating the repository now, should be pushed in the next 30 minutes, take a look at it03:23
naccrbasak: I think there's still an issue with the NMU sequencing being wrong in my code (favoring d/changelog instead of the upload order) -- will verify and fix tmrw AM03:24
eatingthenightAnyone have a good guide for using KVM on a headless server03:40
eatingthenighteverything I see uses virsh with a GUI03:41
eatingthenightbut i can't figure out how I can setup an ubuntu server VM on ubuntu server.03:41
sarnoldeatingthenight: check out the uvt-kvm tool03:43
trippehvirt-manager also works OK over SSH03:44
trippehwith libvirt on the server side.03:44
eatingthenightaaa i see, i'll try both out.03:44
sarnoldtrippeh: ooh you know I've never tried that..03:45
trippehyou really want to use ssh keys with it though, or else it gets super annoying.03:46
eatingthenightuvt-kvm is pretty nice03:57
=== galeido_ is now known as galeido
=== trochej is now known as madwizard
placeed Hi all ! I'm looking to setup "on premises Landscape" but i don't really understand the pricing. I understand it's 150$ per server/year. It mean the amount of landscape server or client server ?09:36
placeedIf it's client server, it's a little expensive only to manage updates :(09:36
rbasakplaceed: best to ask Canonical sales. I don't think many people here will know the answer.09:39
coreycbjamespage, keystone newton is hitting that gbp import merge failure.  could we backport git-buildpackage to the UCA and then we could use --merge-mode=replace on trusty.11:51
coreycbjamespage, looking at the yakkety version, it looks like it's dependencies would be satisfied already in trusty11:54
coreycbbeisner, hi, can you promote horizon 2015.1.4-0ubuntu2 from kilo-staging to kilo-proposed?12:35
=== tinoco is now known as tinocoff
beisnerhi coreycb, ^ done.13:45
coreycbbeisner, thx13:45
beisneryw coreycb13:45
jamespagecoreycb, monascaclient packaged and uploaded to unstable and wedged into the newton ppa for xenial and yakkety...13:56
coreycbjamespage, awesome, thanks.  I'll work on packaging microversion-parse.14:03
jamespagecoreycb, as soon as you have it ready give me a ping - I can upload to unstable if you like14:03
jamespagecoreycb, remember to file and ITP as well14:03
coreycbjamespage, ok14:03
coreycbwolsen, I added some comments to bug 1374999. thanks for the patches.15:36
ubottubug 1374999 in nova (Ubuntu Trusty) "iSCSI volume detach does not correctly remove the multipath device descriptors" [Low,Triaged] https://launchpad.net/bugs/137499915:36
thiraxhi!15:47
wolsenawesome thanks coreycb15:49
dddshroomAnyone familiar with UFW and prerouting traffic from one interface/port to another IP/port?16:09
coreycbbeisner, can you promote nova from kilo-staging and juno-staging to *-proposed?16:10
=== tinocoff is now known as tinoco
Baehonestly. whats the best production friendly way to jail an application so that the only directories it can access are specified directories ?17:04
sdezielBae: you can probably achieve this with an Apparmor profile17:08
Baeyeah most likely17:08
sdezielBae: if the application/daemon supports chrooting you could also have the few specific directories mount binded to the chroot17:09
Baesdeziel, isnt chroot only for ssh and ftp services only?17:10
naccBae: chroot is a generic concept17:10
sdezielBae: for daemons in general but not all of them support it17:10
naccBae: you could also run your application in a container :)17:10
sdezielthat was my next suggestion :)17:11
Baenacc, sdeziel the main purpose of this is im trying to make sure the application daemon cannot be manipulated to change files that its not even supposed to touch17:11
naccBae: yeah, a container would be "easiest", I think17:11
sdezielthe only drawback with containers is you cannot apply an Apparmor profile inside it17:11
naccyeah, that's true17:11
Baei heard chroot is only for ssh and ftp though thats why i did nt go that route. if chroot made it so that the application cannot access under any circumstances thats good17:11
naccsdeziel: although i think that's a feature gap, not a fundamental issue (cmiiw)17:12
sdezielnacc: last I've heard the support for it kernel/AA side landed ~a week before Xenial release17:12
naccsdeziel: yeah that sounds right :)17:13
sdezielnacc: lxd/lxc have yet to support this17:13
Baenacc, sdeziel for the thing you said about containers not supporting apparmor. why is apparmor necessary if the container keeps my application jailed to its own allowed directorise ?17:13
Baeseems like containers and apparmor perform the same function ?17:13
sdezielnacc: I've also heard that should land in LXD 2.1 (I've been waiting for too long already ;) )17:14
naccBae: yeah, in some sense they do, wrt this question17:14
naccBae: containers provide isolation, apparmor provides resource limitations17:14
sdezielBae: also, containers are themselves locked in Apparmor profiles17:14
beisnercoreycb, ack on kilo, underway.   curious why juno being it is eol?17:15
naccBae: my intuition is if you ran lxc launch ubuntu:xenial; lxc exec <container> program, you'd get most of what you want17:15
naccBae: but it's hard to say17:15
coreycbbeisner, it is isn't it.  don't worry about juno then.17:16
Baenacc, all i want to do is lock the application so that it can read/write to a specific directory on disk. and be able to open to the network. and if the app tries to write/read to a different direcotry it will be blocked. i suppose apparmor can do this yes ?17:16
Baeopen socket to the network*17:17
naccBae: i assume it can, but i don't honestly know :)17:17
Baeand socket would be >1024 so root is not important17:17
Baeah okay nacc. well i'll try it. i tried it a few hours ago and i failed. so gotta load up my vm again17:17
beisnercoreycb, ok.  nova 2015.1.4-0ubuntu2 --> kilo-proposed17:18
naccBae: gl! feel free to ask questions as you go, hopefully others can help out17:18
Baeyea. hopefully17:18
coreycbbeisner, thx17:18
Baethanks nacc and sdeziel17:18
sdezielBae: you are welcome17:19
Baedo you guys have experience with apparmor yourselves ?17:19
sdezielBae: some but only with profile writing/debugging17:19
Baeyeah thats probably as far as i will go is write profiles for my own app and do testing. my idea was to make a nodejs app that will write a file to a specific directory that is allowed my apparmor. then trying to get it to write it to a directory that is denied by apparmor. then seeing if apparmor blocks it17:20
Baein this kind of unit testing i will be able to see what works in apparmor and does not. then finish the whole app then do unit testing then :)17:21
sdezielBae: Apparmor should work well for your use case. Just know that the network restrictions are a bit coarse17:23
Baesdeziel, in what sense? i want to enable input/output from 2 ports. any limitations of apparmor i can make up for in my iptables rules17:27
sdezielBae: iptables is the best place to further limit input/output17:27
Baealright thanks sdeziel i'll try this then ask17:29
marcinlawnikHello, I have broken my php7 to apache bridge. I have both installed, but doing sudo a2enmod php7.0 says no module found. I have libapache2-php7.0 installed. Does anyone have any ideas? I also found a thread on a german forum, posted yesterday, no solution yet. Ubuntu 16.0418:02
sarnoldmarcinlawnik: perhaps it's just called 'php'? or 'php7'?18:19
marcinlawniksarnold, Tried all of then, then checked the internet. it's definitely php7.0. I have some progress though, will let you know.18:24
marcinlawnikIt was a bad install somewhere, after third reinstall it worked18:24
sarnoldaha :)18:26
marcinlawnikNow I have to find that pesky redirect loop in apache :/18:27
naccmarcinlawnik: yeah, it should be php7.0, but it also should be enabled by default with teh ubuntu package in 16.0418:32
naccmarcinlawnik: was this 16.04?18:32
marcinlawnikYes, 16.0418:36
marcinlawnikAnyway, I have it installed, but one of my virtual hosts files is generating an infinite redirect loop18:36
naccmarcinlawnik: hrm, strange, i've not seen reports of that (the apache2 module not being found or laoded)18:37
marcinlawnikAny idea what might be causing it? I've checked the .conf file and .htaccess in the directory and found nothing18:38
=== jgrimm is now known as jgrimm-afk
marcinlawnikphp is now installed and confirmed working with apache by running phpinfo18:40
marcinlawnikBut I still get that redirect loop :/ Where is the config file responsible for the default apache2 page?18:41
naccmarcinlawnik: you're getting a redirect loop for the default page?18:43
marcinlawnikI have 3 virtual hosts on my single server. I removed all references to ssl, thinking it might be causing redirects.18:45
marcinlawnikNow when I enable 2 of the 3 hosts without ssl they work correctly18:45
marcinlawnikthe third one, without ssl, has a redirect loop18:45
marcinlawnikafter being activated18:46
marcinlawnikI thought there were other config files being used for sites besides the ones in sites-available18:46
naccmarcinlawnik: i'm not an apache expert, but I don't think so18:48
marcinlawnikYeah, after some searching i agree.18:49
marcinlawnikI'll try over at #httpd, maybe they can help. Thanks foryour suggestions ;)18:51
naccmarcinlawnik: yeah, nothing obvious to me comes to mind18:52
ihreI'd really like to install a specific version of a package (freeipa-client v4) which isnt available for 14.04. The same package is available in the official repositories for 16.04. Can I somehow add a xenial repo to trusty, a bit like debian sid? I've checked the package in xenial-proposed but unfortunately it isn't the right version either.18:57
naccno18:57
nacc:)18:57
naccihre: you really don't want to mix versions of packages18:57
naccihre: or distributions18:57
ihrebummer18:57
marcinlawnikCompiling from source?18:58
ihreor that, pull it from deb-src18:58
ihrebut then again, it depends on a ton of packages to begin with..18:58
naccihre: do the freeipa folks publish a ppa?18:58
ihrethere is a ppa, yes, but just v3 available for trusty18:59
naccihre: i'd assume there is good reason for that then18:59
ihreand I'd really like to install v4 due to the kerberos & dns additions18:59
naccihre: meaning you'd need some other libraries and such to be updated18:59
ihreI assume so, yes18:59
naccihre: which implies you should just switch to 16.04 :)18:59
naccihre: or run it in a container/vm?18:59
ihreI can easily update 90% of my lab, tested puppet deploys w/ 16.04, but upgrading the hypervisor itself...19:00
naccihre: i meant you could run 16.04 as a container or VM under 14.04, no?19:00
ihrepossible, but not for freeipa client enrollment19:01
=== jgrimm-afk is now known as jgrimm
=== admcleod_ is now known as admcleod
coreycbbeisner, can you promote qemu - 1:2.2+dfsg-5expubuntu9.7~cloud3 from kilo-staging to kilo-proposed?20:54
beisneryepper coreycb20:55
beisnercoreycb, qemu 2.2+dfsg-5expubuntu9.7~cloud3 --> kilo-proposed20:58
coreycbbeisner, thanks, I should be done pestering you for a bit now :)21:00
newbsieMy service won't start at boot time? I have the following configuration: http://pastebin.com/u3AHKsKm in a file located at /etc/systemd/system/example.com.service23:03
newbsieI checked the docs, but frankly do not entirely understand it. Help?23:04
sarnoldnewbsie: did you do the systemdctl enable example.com.service ; systemctl start example.com.service  dance yet?23:09
newbsiestupid me. apparently you have to enable the service too 'systemctl enable <service name>"23:09
sarnoldnewbsie: does /webapps/example.com/ exist?23:10
sarnoldhooray :)23:10
newbsiesarnold: I feel so lost in the Ubuntu world....23:10
sarnoldnewbsie: systemd is a pretty big change. I've spent five or six hours in the last week trying to do simple tasks that would have taken a few seconds to do via old tools23:11
newbsiesarnold: yeah, upstart is so much easier... systemd is huge (at least to me)23:12
newbsiesarnold: if delete files in /var/log/journal/*, will that delete all logs?23:12
sarnoldnewbsie: I don't think so; I think the journals are stored in /run?23:12
sarnoldsee journalctl --header output23:14
newbsiethere are two files there, and both are in /var/log/journal....23:15
newbsieit seems, individual service (like say nginx) still logs to it's normal place independent of the journal23:16
sarnoldright, most things still use syslog logging..23:19
sarnoldyou may be able to configure systemd in some way to replace the rsyslog daemon, or maybe extend it, if you'd rather just use journalctl for everything23:19
newbsiesarnold: I'd rather not mess with it. :)23:21
newbsiesarnold: Thank you for the help! :D23:22
=== JanC is now known as Guest42191
=== JanC_ is now known as JanC

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!