[00:57] <nacc> rcj: rbasak: https://git.launchpad.net/~nacc/ubuntu/+source/open-vm-tools
[01:04] <nacc> rcj: rbasak: that is the result of the latest iteration of my script that imports the launchpad history with merges against the debian history for all version of the package
[01:12] <nacc> rcj: rbasak: hrm, already found an issue, will debug it (the xenial history is incorrect/not indicating a merge correctly)
[03:23] <nacc> rcj: rbasak: fixed that bug, deleted and recreating the repository now, should be pushed in the next 30 minutes, take a look at it
[03:24] <nacc> rbasak: I think there's still an issue with the NMU sequencing being wrong in my code (favoring d/changelog instead of the upload order) -- will verify and fix tmrw AM
[03:40] <eatingthenight> Anyone have a good guide for using KVM on a headless server
[03:41] <eatingthenight> everything I see uses virsh with a GUI
[03:41] <eatingthenight> but i can't figure out how I can setup an ubuntu server VM on ubuntu server.
[03:43] <sarnold> eatingthenight: check out the uvt-kvm tool
[03:44] <trippeh> virt-manager also works OK over SSH
[03:44] <trippeh> with libvirt on the server side.
[03:44] <eatingthenight> aaa i see, i'll try both out.
[03:45] <sarnold> trippeh: ooh you know I've never tried that..
[03:46] <trippeh> you really want to use ssh keys with it though, or else it gets super annoying.
[03:57] <eatingthenight> uvt-kvm is pretty nice
[09:36] <placeed>  Hi all ! I'm looking to setup "on premises Landscape" but i don't really understand the pricing. I understand it's 150$ per server/year. It mean the amount of landscape server or client server ?
[09:36] <placeed> If it's client server, it's a little expensive only to manage updates :(
[09:39] <rbasak> placeed: best to ask Canonical sales. I don't think many people here will know the answer.
[11:51] <coreycb> jamespage, keystone newton is hitting that gbp import merge failure.  could we backport git-buildpackage to the UCA and then we could use --merge-mode=replace on trusty.
[11:54] <coreycb> jamespage, looking at the yakkety version, it looks like it's dependencies would be satisfied already in trusty
[12:35] <coreycb> beisner, hi, can you promote horizon 2015.1.4-0ubuntu2 from kilo-staging to kilo-proposed?
[13:45] <beisner> hi coreycb, ^ done.
[13:45] <coreycb> beisner, thx
[13:45] <beisner> yw coreycb
[13:56] <jamespage> coreycb, monascaclient packaged and uploaded to unstable and wedged into the newton ppa for xenial and yakkety...
[14:03] <coreycb> jamespage, awesome, thanks.  I'll work on packaging microversion-parse.
[14:03] <jamespage> coreycb, as soon as you have it ready give me a ping - I can upload to unstable if you like
[14:03] <jamespage> coreycb, remember to file and ITP as well
[14:03] <coreycb> jamespage, ok
[15:36] <coreycb> wolsen, I added some comments to bug 1374999. thanks for the patches.
[15:47] <thirax> hi!
[15:49] <wolsen> awesome thanks coreycb
[16:09] <dddshroom> Anyone familiar with UFW and prerouting traffic from one interface/port to another IP/port?
[16:10] <coreycb> beisner, can you promote nova from kilo-staging and juno-staging to *-proposed?
[17:04] <Bae> honestly. whats the best production friendly way to jail an application so that the only directories it can access are specified directories ?
[17:08] <sdeziel> Bae: you can probably achieve this with an Apparmor profile
[17:08] <Bae> yeah most likely
[17:09] <sdeziel> Bae: if the application/daemon supports chrooting you could also have the few specific directories mount binded to the chroot
[17:10] <Bae> sdeziel, isnt chroot only for ssh and ftp services only?
[17:10] <nacc> Bae: chroot is a generic concept
[17:10] <sdeziel> Bae: for daemons in general but not all of them support it
[17:10] <nacc> Bae: you could also run your application in a container :)
[17:11] <sdeziel> that was my next suggestion :)
[17:11] <Bae> nacc, sdeziel the main purpose of this is im trying to make sure the application daemon cannot be manipulated to change files that its not even supposed to touch
[17:11] <nacc> Bae: yeah, a container would be "easiest", I think
[17:11] <sdeziel> the only drawback with containers is you cannot apply an Apparmor profile inside it
[17:11] <nacc> yeah, that's true
[17:11] <Bae> i heard chroot is only for ssh and ftp though thats why i did nt go that route. if chroot made it so that the application cannot access under any circumstances thats good
[17:12] <nacc> sdeziel: although i think that's a feature gap, not a fundamental issue (cmiiw)
[17:12] <sdeziel> nacc: last I've heard the support for it kernel/AA side landed ~a week before Xenial release
[17:13] <nacc> sdeziel: yeah that sounds right :)
[17:13] <sdeziel> nacc: lxd/lxc have yet to support this
[17:13] <Bae> nacc, sdeziel for the thing you said about containers not supporting apparmor. why is apparmor necessary if the container keeps my application jailed to its own allowed directorise ?
[17:13] <Bae> seems like containers and apparmor perform the same function ?
[17:14] <sdeziel> nacc: I've also heard that should land in LXD 2.1 (I've been waiting for too long already ;) )
[17:14] <nacc> Bae: yeah, in some sense they do, wrt this question
[17:14] <nacc> Bae: containers provide isolation, apparmor provides resource limitations
[17:14] <sdeziel> Bae: also, containers are themselves locked in Apparmor profiles
[17:15] <beisner> coreycb, ack on kilo, underway.   curious why juno being it is eol?
[17:15] <nacc> Bae: my intuition is if you ran lxc launch ubuntu:xenial; lxc exec <container> program, you'd get most of what you want
[17:15] <nacc> Bae: but it's hard to say
[17:16] <coreycb> beisner, it is isn't it.  don't worry about juno then.
[17:16] <Bae> nacc, all i want to do is lock the application so that it can read/write to a specific directory on disk. and be able to open to the network. and if the app tries to write/read to a different direcotry it will be blocked. i suppose apparmor can do this yes ?
[17:17] <Bae> open socket to the network*
[17:17] <nacc> Bae: i assume it can, but i don't honestly know :)
[17:17] <Bae> and socket would be >1024 so root is not important
[17:17] <Bae> ah okay nacc. well i'll try it. i tried it a few hours ago and i failed. so gotta load up my vm again
[17:18] <beisner> coreycb, ok.  nova 2015.1.4-0ubuntu2 --> kilo-proposed
[17:18] <nacc> Bae: gl! feel free to ask questions as you go, hopefully others can help out
[17:18] <Bae> yea. hopefully
[17:18] <coreycb> beisner, thx
[17:18] <Bae> thanks nacc and sdeziel
[17:19] <sdeziel> Bae: you are welcome
[17:19] <Bae> do you guys have experience with apparmor yourselves ?
[17:19] <sdeziel> Bae: some but only with profile writing/debugging
[17:20] <Bae> yeah thats probably as far as i will go is write profiles for my own app and do testing. my idea was to make a nodejs app that will write a file to a specific directory that is allowed my apparmor. then trying to get it to write it to a directory that is denied by apparmor. then seeing if apparmor blocks it
[17:21] <Bae> in this kind of unit testing i will be able to see what works in apparmor and does not. then finish the whole app then do unit testing then :)
[17:23] <sdeziel> Bae: Apparmor should work well for your use case. Just know that the network restrictions are a bit coarse
[17:27] <Bae> sdeziel, in what sense? i want to enable input/output from 2 ports. any limitations of apparmor i can make up for in my iptables rules
[17:27] <sdeziel> Bae: iptables is the best place to further limit input/output
[17:29] <Bae> alright thanks sdeziel i'll try this then ask
[18:02] <marcinlawnik> Hello, I have broken my php7 to apache bridge. I have both installed, but doing sudo a2enmod php7.0 says no module found. I have libapache2-php7.0 installed. Does anyone have any ideas? I also found a thread on a german forum, posted yesterday, no solution yet. Ubuntu 16.04
[18:19] <sarnold> marcinlawnik: perhaps it's just called 'php'? or 'php7'?
[18:24] <marcinlawnik> sarnold, Tried all of then, then checked the internet. it's definitely php7.0. I have some progress though, will let you know.
[18:24] <marcinlawnik> It was a bad install somewhere, after third reinstall it worked
[18:26] <sarnold> aha :)
[18:27] <marcinlawnik> Now I have to find that pesky redirect loop in apache :/
[18:32] <nacc> marcinlawnik: yeah, it should be php7.0, but it also should be enabled by default with teh ubuntu package in 16.04
[18:32] <nacc> marcinlawnik: was this 16.04?
[18:36] <marcinlawnik> Yes, 16.04
[18:36] <marcinlawnik> Anyway, I have it installed, but one of my virtual hosts files is generating an infinite redirect loop
[18:37] <nacc> marcinlawnik: hrm, strange, i've not seen reports of that (the apache2 module not being found or laoded)
[18:38] <marcinlawnik> Any idea what might be causing it? I've checked the .conf file and .htaccess in the directory and found nothing
[18:40] <marcinlawnik> php is now installed and confirmed working with apache by running phpinfo
[18:41] <marcinlawnik> But I still get that redirect loop :/ Where is the config file responsible for the default apache2 page?
[18:43] <nacc> marcinlawnik: you're getting a redirect loop for the default page?
[18:45] <marcinlawnik> I have 3 virtual hosts on my single server. I removed all references to ssl, thinking it might be causing redirects.
[18:45] <marcinlawnik> Now when I enable 2 of the 3 hosts without ssl they work correctly
[18:45] <marcinlawnik> the third one, without ssl, has a redirect loop
[18:46] <marcinlawnik> after being activated
[18:46] <marcinlawnik> I thought there were other config files being used for sites besides the ones in sites-available
[18:48] <nacc> marcinlawnik: i'm not an apache expert, but I don't think so
[18:49] <marcinlawnik> Yeah, after some searching i agree.
[18:51] <marcinlawnik> I'll try over at #httpd, maybe they can help. Thanks foryour suggestions ;)
[18:52] <nacc> marcinlawnik: yeah, nothing obvious to me comes to mind
[18:57] <ihre> I'd really like to install a specific version of a package (freeipa-client v4) which isnt available for 14.04. The same package is available in the official repositories for 16.04. Can I somehow add a xenial repo to trusty, a bit like debian sid? I've checked the package in xenial-proposed but unfortunately it isn't the right version either.
[18:57] <nacc> no
[18:57] <nacc> :)
[18:57] <nacc> ihre: you really don't want to mix versions of packages
[18:57] <nacc> ihre: or distributions
[18:57] <ihre> bummer
[18:58] <marcinlawnik> Compiling from source?
[18:58] <ihre> or that, pull it from deb-src
[18:58] <ihre> but then again, it depends on a ton of packages to begin with..
[18:58] <nacc> ihre: do the freeipa folks publish a ppa?
[18:59] <ihre> there is a ppa, yes, but just v3 available for trusty
[18:59] <nacc> ihre: i'd assume there is good reason for that then
[18:59] <ihre> and I'd really like to install v4 due to the kerberos & dns additions
[18:59] <nacc> ihre: meaning you'd need some other libraries and such to be updated
[18:59] <ihre> I assume so, yes
[18:59] <nacc> ihre: which implies you should just switch to 16.04 :)
[18:59] <nacc> ihre: or run it in a container/vm?
[19:00] <ihre> I can easily update 90% of my lab, tested puppet deploys w/ 16.04, but upgrading the hypervisor itself...
[19:00] <nacc> ihre: i meant you could run 16.04 as a container or VM under 14.04, no?
[19:01] <ihre> possible, but not for freeipa client enrollment
[20:54] <coreycb> beisner, can you promote qemu - 1:2.2+dfsg-5expubuntu9.7~cloud3 from kilo-staging to kilo-proposed?
[20:55] <beisner> yepper coreycb
[20:58] <beisner> coreycb, qemu 2.2+dfsg-5expubuntu9.7~cloud3 --> kilo-proposed
[21:00] <coreycb> beisner, thanks, I should be done pestering you for a bit now :)
[23:03] <newbsie> My service won't start at boot time? I have the following configuration: http://pastebin.com/u3AHKsKm in a file located at /etc/systemd/system/example.com.service
[23:04] <newbsie> I checked the docs, but frankly do not entirely understand it. Help?
[23:09] <sarnold> newbsie: did you do the systemdctl enable example.com.service ; systemctl start example.com.service  dance yet?
[23:09] <newbsie> stupid me. apparently you have to enable the service too 'systemctl enable <service name>"
[23:10] <sarnold> newbsie: does /webapps/example.com/ exist?
[23:10] <sarnold> hooray :)
[23:10] <newbsie> sarnold: I feel so lost in the Ubuntu world....
[23:11] <sarnold> newbsie: systemd is a pretty big change. I've spent five or six hours in the last week trying to do simple tasks that would have taken a few seconds to do via old tools
[23:12] <newbsie> sarnold: yeah, upstart is so much easier... systemd is huge (at least to me)
[23:12] <newbsie> sarnold: if delete files in /var/log/journal/*, will that delete all logs?
[23:12] <sarnold> newbsie: I don't think so; I think the journals are stored in /run?
[23:14] <sarnold> see journalctl --header output
[23:15] <newbsie> there are two files there, and both are in /var/log/journal....
[23:16] <newbsie> it seems, individual service (like say nginx) still logs to it's normal place independent of the journal
[23:19] <sarnold> right, most things still use syslog logging..
[23:19] <sarnold> you may be able to configure systemd in some way to replace the rsyslog daemon, or maybe extend it, if you'd rather just use journalctl for everything
[23:21] <newbsie> sarnold: I'd rather not mess with it. :)
[23:22] <newbsie> sarnold: Thank you for the help! :D