| nacc | rcj: rbasak: https://git.launchpad.net/~nacc/ubuntu/+source/open-vm-tools | 00:57 |
|---|---|---|
| nacc | rcj: rbasak: that is the result of the latest iteration of my script that imports the launchpad history with merges against the debian history for all version of the package | 01:04 |
| nacc | rcj: rbasak: hrm, already found an issue, will debug it (the xenial history is incorrect/not indicating a merge correctly) | 01:12 |
| nacc | rcj: rbasak: fixed that bug, deleted and recreating the repository now, should be pushed in the next 30 minutes, take a look at it | 03:23 |
| nacc | rbasak: I think there's still an issue with the NMU sequencing being wrong in my code (favoring d/changelog instead of the upload order) -- will verify and fix tmrw AM | 03:24 |
| eatingthenight | Anyone have a good guide for using KVM on a headless server | 03:40 |
| eatingthenight | everything I see uses virsh with a GUI | 03:41 |
| eatingthenight | but i can't figure out how I can setup an ubuntu server VM on ubuntu server. | 03:41 |
| sarnold | eatingthenight: check out the uvt-kvm tool | 03:43 |
| trippeh | virt-manager also works OK over SSH | 03:44 |
| trippeh | with libvirt on the server side. | 03:44 |
| eatingthenight | aaa i see, i'll try both out. | 03:44 |
| sarnold | trippeh: ooh you know I've never tried that.. | 03:45 |
| trippeh | you really want to use ssh keys with it though, or else it gets super annoying. | 03:46 |
| eatingthenight | uvt-kvm is pretty nice | 03:57 |
| === galeido_ is now known as galeido | ||
| === trochej is now known as madwizard | ||
| placeed | Hi all ! I'm looking to setup "on premises Landscape" but i don't really understand the pricing. I understand it's 150$ per server/year. It mean the amount of landscape server or client server ? | 09:36 |
| placeed | If it's client server, it's a little expensive only to manage updates :( | 09:36 |
| rbasak | placeed: best to ask Canonical sales. I don't think many people here will know the answer. | 09:39 |
| coreycb | jamespage, keystone newton is hitting that gbp import merge failure. could we backport git-buildpackage to the UCA and then we could use --merge-mode=replace on trusty. | 11:51 |
| coreycb | jamespage, looking at the yakkety version, it looks like it's dependencies would be satisfied already in trusty | 11:54 |
| coreycb | beisner, hi, can you promote horizon 2015.1.4-0ubuntu2 from kilo-staging to kilo-proposed? | 12:35 |
| === tinoco is now known as tinocoff | ||
| beisner | hi coreycb, ^ done. | 13:45 |
| coreycb | beisner, thx | 13:45 |
| beisner | yw coreycb | 13:45 |
| jamespage | coreycb, monascaclient packaged and uploaded to unstable and wedged into the newton ppa for xenial and yakkety... | 13:56 |
| coreycb | jamespage, awesome, thanks. I'll work on packaging microversion-parse. | 14:03 |
| jamespage | coreycb, as soon as you have it ready give me a ping - I can upload to unstable if you like | 14:03 |
| jamespage | coreycb, remember to file and ITP as well | 14:03 |
| coreycb | jamespage, ok | 14:03 |
| coreycb | wolsen, I added some comments to bug 1374999. thanks for the patches. | 15:36 |
| ubottu | bug 1374999 in nova (Ubuntu Trusty) "iSCSI volume detach does not correctly remove the multipath device descriptors" [Low,Triaged] https://launchpad.net/bugs/1374999 | 15:36 |
| thirax | hi! | 15:47 |
| wolsen | awesome thanks coreycb | 15:49 |
| dddshroom | Anyone familiar with UFW and prerouting traffic from one interface/port to another IP/port? | 16:09 |
| coreycb | beisner, can you promote nova from kilo-staging and juno-staging to *-proposed? | 16:10 |
| === tinocoff is now known as tinoco | ||
| Bae | honestly. whats the best production friendly way to jail an application so that the only directories it can access are specified directories ? | 17:04 |
| sdeziel | Bae: you can probably achieve this with an Apparmor profile | 17:08 |
| Bae | yeah most likely | 17:08 |
| sdeziel | Bae: if the application/daemon supports chrooting you could also have the few specific directories mount binded to the chroot | 17:09 |
| Bae | sdeziel, isnt chroot only for ssh and ftp services only? | 17:10 |
| nacc | Bae: chroot is a generic concept | 17:10 |
| sdeziel | Bae: for daemons in general but not all of them support it | 17:10 |
| nacc | Bae: you could also run your application in a container :) | 17:10 |
| sdeziel | that was my next suggestion :) | 17:11 |
| Bae | nacc, sdeziel the main purpose of this is im trying to make sure the application daemon cannot be manipulated to change files that its not even supposed to touch | 17:11 |
| nacc | Bae: yeah, a container would be "easiest", I think | 17:11 |
| sdeziel | the only drawback with containers is you cannot apply an Apparmor profile inside it | 17:11 |
| nacc | yeah, that's true | 17:11 |
| Bae | i heard chroot is only for ssh and ftp though thats why i did nt go that route. if chroot made it so that the application cannot access under any circumstances thats good | 17:11 |
| nacc | sdeziel: although i think that's a feature gap, not a fundamental issue (cmiiw) | 17:12 |
| sdeziel | nacc: last I've heard the support for it kernel/AA side landed ~a week before Xenial release | 17:12 |
| nacc | sdeziel: yeah that sounds right :) | 17:13 |
| sdeziel | nacc: lxd/lxc have yet to support this | 17:13 |
| Bae | nacc, sdeziel for the thing you said about containers not supporting apparmor. why is apparmor necessary if the container keeps my application jailed to its own allowed directorise ? | 17:13 |
| Bae | seems like containers and apparmor perform the same function ? | 17:13 |
| sdeziel | nacc: I've also heard that should land in LXD 2.1 (I've been waiting for too long already ;) ) | 17:14 |
| nacc | Bae: yeah, in some sense they do, wrt this question | 17:14 |
| nacc | Bae: containers provide isolation, apparmor provides resource limitations | 17:14 |
| sdeziel | Bae: also, containers are themselves locked in Apparmor profiles | 17:14 |
| beisner | coreycb, ack on kilo, underway. curious why juno being it is eol? | 17:15 |
| nacc | Bae: my intuition is if you ran lxc launch ubuntu:xenial; lxc exec <container> program, you'd get most of what you want | 17:15 |
| nacc | Bae: but it's hard to say | 17:15 |
| coreycb | beisner, it is isn't it. don't worry about juno then. | 17:16 |
| Bae | nacc, all i want to do is lock the application so that it can read/write to a specific directory on disk. and be able to open to the network. and if the app tries to write/read to a different direcotry it will be blocked. i suppose apparmor can do this yes ? | 17:16 |
| Bae | open socket to the network* | 17:17 |
| nacc | Bae: i assume it can, but i don't honestly know :) | 17:17 |
| Bae | and socket would be >1024 so root is not important | 17:17 |
| Bae | ah okay nacc. well i'll try it. i tried it a few hours ago and i failed. so gotta load up my vm again | 17:17 |
| beisner | coreycb, ok. nova 2015.1.4-0ubuntu2 --> kilo-proposed | 17:18 |
| nacc | Bae: gl! feel free to ask questions as you go, hopefully others can help out | 17:18 |
| Bae | yea. hopefully | 17:18 |
| coreycb | beisner, thx | 17:18 |
| Bae | thanks nacc and sdeziel | 17:18 |
| sdeziel | Bae: you are welcome | 17:19 |
| Bae | do you guys have experience with apparmor yourselves ? | 17:19 |
| sdeziel | Bae: some but only with profile writing/debugging | 17:19 |
| Bae | yeah thats probably as far as i will go is write profiles for my own app and do testing. my idea was to make a nodejs app that will write a file to a specific directory that is allowed my apparmor. then trying to get it to write it to a directory that is denied by apparmor. then seeing if apparmor blocks it | 17:20 |
| Bae | in this kind of unit testing i will be able to see what works in apparmor and does not. then finish the whole app then do unit testing then :) | 17:21 |
| sdeziel | Bae: Apparmor should work well for your use case. Just know that the network restrictions are a bit coarse | 17:23 |
| Bae | sdeziel, in what sense? i want to enable input/output from 2 ports. any limitations of apparmor i can make up for in my iptables rules | 17:27 |
| sdeziel | Bae: iptables is the best place to further limit input/output | 17:27 |
| Bae | alright thanks sdeziel i'll try this then ask | 17:29 |
| marcinlawnik | Hello, I have broken my php7 to apache bridge. I have both installed, but doing sudo a2enmod php7.0 says no module found. I have libapache2-php7.0 installed. Does anyone have any ideas? I also found a thread on a german forum, posted yesterday, no solution yet. Ubuntu 16.04 | 18:02 |
| sarnold | marcinlawnik: perhaps it's just called 'php'? or 'php7'? | 18:19 |
| marcinlawnik | sarnold, Tried all of then, then checked the internet. it's definitely php7.0. I have some progress though, will let you know. | 18:24 |
| marcinlawnik | It was a bad install somewhere, after third reinstall it worked | 18:24 |
| sarnold | aha :) | 18:26 |
| marcinlawnik | Now I have to find that pesky redirect loop in apache :/ | 18:27 |
| nacc | marcinlawnik: yeah, it should be php7.0, but it also should be enabled by default with teh ubuntu package in 16.04 | 18:32 |
| nacc | marcinlawnik: was this 16.04? | 18:32 |
| marcinlawnik | Yes, 16.04 | 18:36 |
| marcinlawnik | Anyway, I have it installed, but one of my virtual hosts files is generating an infinite redirect loop | 18:36 |
| nacc | marcinlawnik: hrm, strange, i've not seen reports of that (the apache2 module not being found or laoded) | 18:37 |
| marcinlawnik | Any idea what might be causing it? I've checked the .conf file and .htaccess in the directory and found nothing | 18:38 |
| === jgrimm is now known as jgrimm-afk | ||
| marcinlawnik | php is now installed and confirmed working with apache by running phpinfo | 18:40 |
| marcinlawnik | But I still get that redirect loop :/ Where is the config file responsible for the default apache2 page? | 18:41 |
| nacc | marcinlawnik: you're getting a redirect loop for the default page? | 18:43 |
| marcinlawnik | I have 3 virtual hosts on my single server. I removed all references to ssl, thinking it might be causing redirects. | 18:45 |
| marcinlawnik | Now when I enable 2 of the 3 hosts without ssl they work correctly | 18:45 |
| marcinlawnik | the third one, without ssl, has a redirect loop | 18:45 |
| marcinlawnik | after being activated | 18:46 |
| marcinlawnik | I thought there were other config files being used for sites besides the ones in sites-available | 18:46 |
| nacc | marcinlawnik: i'm not an apache expert, but I don't think so | 18:48 |
| marcinlawnik | Yeah, after some searching i agree. | 18:49 |
| marcinlawnik | I'll try over at #httpd, maybe they can help. Thanks foryour suggestions ;) | 18:51 |
| nacc | marcinlawnik: yeah, nothing obvious to me comes to mind | 18:52 |
| ihre | I'd really like to install a specific version of a package (freeipa-client v4) which isnt available for 14.04. The same package is available in the official repositories for 16.04. Can I somehow add a xenial repo to trusty, a bit like debian sid? I've checked the package in xenial-proposed but unfortunately it isn't the right version either. | 18:57 |
| nacc | no | 18:57 |
| nacc | :) | 18:57 |
| nacc | ihre: you really don't want to mix versions of packages | 18:57 |
| nacc | ihre: or distributions | 18:57 |
| ihre | bummer | 18:57 |
| marcinlawnik | Compiling from source? | 18:58 |
| ihre | or that, pull it from deb-src | 18:58 |
| ihre | but then again, it depends on a ton of packages to begin with.. | 18:58 |
| nacc | ihre: do the freeipa folks publish a ppa? | 18:58 |
| ihre | there is a ppa, yes, but just v3 available for trusty | 18:59 |
| nacc | ihre: i'd assume there is good reason for that then | 18:59 |
| ihre | and I'd really like to install v4 due to the kerberos & dns additions | 18:59 |
| nacc | ihre: meaning you'd need some other libraries and such to be updated | 18:59 |
| ihre | I assume so, yes | 18:59 |
| nacc | ihre: which implies you should just switch to 16.04 :) | 18:59 |
| nacc | ihre: or run it in a container/vm? | 18:59 |
| ihre | I can easily update 90% of my lab, tested puppet deploys w/ 16.04, but upgrading the hypervisor itself... | 19:00 |
| nacc | ihre: i meant you could run 16.04 as a container or VM under 14.04, no? | 19:00 |
| ihre | possible, but not for freeipa client enrollment | 19:01 |
| === jgrimm-afk is now known as jgrimm | ||
| === admcleod_ is now known as admcleod | ||
| coreycb | beisner, can you promote qemu - 1:2.2+dfsg-5expubuntu9.7~cloud3 from kilo-staging to kilo-proposed? | 20:54 |
| beisner | yepper coreycb | 20:55 |
| beisner | coreycb, qemu 2.2+dfsg-5expubuntu9.7~cloud3 --> kilo-proposed | 20:58 |
| coreycb | beisner, thanks, I should be done pestering you for a bit now :) | 21:00 |
| newbsie | My service won't start at boot time? I have the following configuration: http://pastebin.com/u3AHKsKm in a file located at /etc/systemd/system/example.com.service | 23:03 |
| newbsie | I checked the docs, but frankly do not entirely understand it. Help? | 23:04 |
| sarnold | newbsie: did you do the systemdctl enable example.com.service ; systemctl start example.com.service dance yet? | 23:09 |
| newbsie | stupid me. apparently you have to enable the service too 'systemctl enable <service name>" | 23:09 |
| sarnold | newbsie: does /webapps/example.com/ exist? | 23:10 |
| sarnold | hooray :) | 23:10 |
| newbsie | sarnold: I feel so lost in the Ubuntu world.... | 23:10 |
| sarnold | newbsie: systemd is a pretty big change. I've spent five or six hours in the last week trying to do simple tasks that would have taken a few seconds to do via old tools | 23:11 |
| newbsie | sarnold: yeah, upstart is so much easier... systemd is huge (at least to me) | 23:12 |
| newbsie | sarnold: if delete files in /var/log/journal/*, will that delete all logs? | 23:12 |
| sarnold | newbsie: I don't think so; I think the journals are stored in /run? | 23:12 |
| sarnold | see journalctl --header output | 23:14 |
| newbsie | there are two files there, and both are in /var/log/journal.... | 23:15 |
| newbsie | it seems, individual service (like say nginx) still logs to it's normal place independent of the journal | 23:16 |
| sarnold | right, most things still use syslog logging.. | 23:19 |
| sarnold | you may be able to configure systemd in some way to replace the rsyslog daemon, or maybe extend it, if you'd rather just use journalctl for everything | 23:19 |
| newbsie | sarnold: I'd rather not mess with it. :) | 23:21 |
| newbsie | sarnold: Thank you for the help! :D | 23:22 |
| === JanC is now known as Guest42191 | ||
| === JanC_ is now known as JanC | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!