[03:10] Does anyone here use an inventory management solution in the workplace that is compatible with Linux, OS X, and Windows and can perform SNMP scanning/polling, agent and agentless based information, has an API, and can pull serial numbers for all hard drives. === devil is now known as Guest24582 === huttan_ is now known as huttan === swat30_ is now known as swat30 === yokel_ is now known as yokel === inaddy is now known as tinoco === Azelphur_ is now known as Azelphur [05:47] caliculk, you might want to take a look at ansible.com === vtapia_ is now known as vtapia === madwizar1 is now known as madwizard === TJ_Remix is now known as TJ- === ideopathic_ is now known as ideopathic === cydizen_ is now known as cydizen === cargonza_ is now known as cargonza === xnox_ is now known as xnox === BigGun4Hire_ is now known as BigGun4Hire === jamietech- is now known as jamietech === fidothe_ is now known as fidothe === Ursinha_ is now known as Ursinha [09:44] jamespage: hey, we're trying to deploy Mitaka on Xenial, we're having an issue with OVS [09:44] degorenko: can you past your logs here? [09:44] yep [09:44] http://paste.openstack.org/show/497463/ [09:45] http://paste.openstack.org/show/497467/ [09:45] it sounds similar to https://bugs.launchpad.net/networking-ovs-dpdk/+bug/1512701 [09:45] Launchpad bug 1512701 in networking-ovs-dpdk "Database connection failed on ubuntu when running ovs-dpdk init" [Undecided,Invalid] [09:47] maybe do we need openvswitch-switch-dpdk ? [09:47] degorenko: can you run "dpkg -l | grep openvswitch" ? [09:48] EmilienM, http://paste.openstack.org/show/497469/ === a1berto_ is now known as a1berto [09:49] jamespage: do we need something else when deploying openvswitch-switch package? [09:51] EmilienM: nope [09:51] EmilienM: status looks ok [09:53] jamespage: we also have an issuel with SSL deployment. The same Puppet manifests to deploy SSL certs on Trusty does not work on Xenial, see https://etherpad.openstack.org/p/puppet-openstack-xenial [09:53] we have a lot of [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) [09:53] something changed in Xenial for SSL certs? [09:56] degorenko: I'm adding the Horizon failure in the etherpad, you missed it [09:56] are you about failed tempest tests? [09:57] yes [09:57] jamespage: we're trying to deploy Mitaka on Xenial, we have some issues [09:58] degorenko: I'm going to enable SSL again so we can have the failures available in logs [09:58] EmilienM, what we should to do with openvswitch? :) [09:59] degorenko: I have no idea [09:59] :( [10:03] jamespage: if you can help us that would be awesome, please let us know what you think about our issues in the etherpad. Thanks [10:24] EmilienM: sorry juggling a few things todo so will be a bit async on responses [10:24] EmilienM, degorenko: OK lets look at ovs first... [10:25] you should not need the -dpdk binary for general use [10:25] and the path looks just fine for the database. [10:29] things to look at: [10:29] check perms on /var/run/openvswitch/db.sock [10:30] look in /var/log/openvswitch/* [10:30] might give some further clues... [10:36] jamespage: thx for looking, I'm a bit afk for lunch, with reply in async [10:42] jamespage, root@de-xenial:~/puppet-openstack-integration# ll /var/run/openvswitch/db.sock [10:42] srwxr-x--- 1 root root 0 May 17 15:06 /var/run/openvswitch/db.sock= [10:42] cat: /var/run/openvswitch/db.sock: No such device or address [10:43] degorenko, is the trailing '=' a typo or actually whats in the directory? [10:44] jamespage, http://paste.openstack.org/show/497480/ === ptx0_ is now known as ptx0 [10:44] i don't know why was added = [10:44] :) [10:46] degorenko, ok have one running as well - my /var/run/openvswitch looks comparable to yours [10:46] and cat /var/run/openvswitch/db.sock does the same thing [10:46] but [10:46] I can add a bridge to the configuration [10:46] http://paste.ubuntu.com/16487891/ [10:47] degorenko, anything useful in /var/log/openvswitch? [10:47] jamespage, nothing, but let me look one more time [10:47] jamespage, ovsdb-server has: 2016-05-18T10:46:51.182Z|01882|ovsdb_jsonrpc_server|WARN|Dropped 11 log messages in last 56 seconds (most recently, 6 seconds ago) due to excessive rate [10:47] 2016-05-18T10:46:51.182Z|01883|ovsdb_jsonrpc_server|WARN|punix:/var/run/openvswitch/db.sock: connection exceeded maximum (330) [10:48] and nothing interesting in ovs-vswitchd log [10:48] degorenko, anything in syslog? [10:49] jamespage, i see several neutron errors, but it is related to already posted error during creating bridge - and same error i see in syslog [10:50] * jamespage scratches his head [10:50] degorenko, can you do a ovs-vsctl show? [10:51] just wondering what is working and what's not [10:51] also anything in /etc/default/openvswitch-switch ? [10:51] other than the stock installed file [10:52] jamespage, i found this in syslog http://paste.openstack.org/show/497480/ [10:52] degorenko: do you have enough memory on the VM? [10:52] degorenko, I think thats a previous pastebin [10:53] 2 gb more free, 5.6 from 7.8 [10:53] EmilienM, ^ [10:54] jamespage, file /etc/default/openvswitch-switch is empty [10:54] that's ok [10:54] only comment lines [10:56] on the deployment I have running we run it in a 1.5G instance for network nodes - and thats working fine... [10:57] jamespage, show command also failed with same error [10:58] degorenko, its related to 2016-05-18T10:46:51.182Z|01883|ovsdb_jsonrpc_server|WARN|punix:/var/run/openvswitch/db.sock: connection exceeded maximum (330) [10:58] the socket is full - are both ovs processes still running? [10:59] jamespage, http://paste.openstack.org/show/497483/ - yes [11:01] degorenko, can I access your instance/ [11:01] ? [11:01] no :( it is under private network [11:02] jamespage, ^ [11:03] degorenko, what was the syslog thing you found? [11:04] jamespage, well, i see a lot of request for creation bridges and then [11:04] jamespage, http://paste.openstack.org/show/497484/ [11:04] after that i have database connection error [11:05] degorenko, hmm [11:05] degorenko, something is getting wedged, but I've not seen this before [11:05] degorenko, can you try a restart of openvswitch-switch pls [11:06] jamespage, full log for ovs commands: http://paste.openstack.org/show/497485/ [11:06] that's all i have from syslog related only ovs [11:06] ovs was functional [11:06] yes, it was [11:06] and then after a few hours borked in some way [11:07] i can redeploy it again [11:07] and we will have fresh logs [11:07] but anyway [11:07] we have issue, that during second puppet run for idempotency - service was restarted [11:07] degorenko, before you do "netstat -an | grep openvswitch" would be useful [11:08] yeah [11:08] to many connections [11:08] http://paste.openstack.org/show/497486/ [11:08] jamespage, ^ that's not a full output [11:09] i have 404 lines after this command [11:09] degorenko, ok so we need to figure out what's holding those connections open [11:09] sudo lsof | grep /var/run/openvswitch [11:10] degorenko, I see this sort of thing: [11:10] http://paste.ubuntu.com/16488179/ [11:11] jamespage, yep, http://paste.openstack.org/show/497487/ [11:11] i have a lot of db.sock [11:11] from which processes? [11:13] jamespage, root 17422 0.0 0.0 24732 2036 ? S root 17423 0.1 0.6 394188 50404 ? S so, both processes which i posted above [11:14] all db.sock from ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor [11:17] degorenko, might seem like an odd question but is self host resolution ok? [11:17] degorenko, any spurious output on sudo XX comands? [11:18] jamespage, he he, yes, it is [11:18] ubuntu@de-xenial:~$ sudo -i [11:18] sudo: unable to resolve host de-xenial [11:18] degorenko, can you pastebin /var/log/openvswitch/ovsdb-server.log pls [11:18] degorenko, hmm [11:18] but i 'm not sure that we have same error on our infra slaves [11:19] degorenko, are there alot of ovs-vsctl processes hanging around? [11:19] or ovs-* processes - might be other cli tools [11:19] jamespage, http://paste.openstack.org/show/497488/ - yes [11:20] ~200 [11:20] degorenko, this is your problem [11:20] degorenko, when there is spurious output on the sudo command, neutron-openvswitch just spins loads of those monitor processes and everything collapses... [11:21] that's consuming all of the socket connections, resulting in what you see now... [11:21] degorenko, EmilienM: this might be a diff in the xenial image vs trusty image... [11:22] jamespage, hmmm, ok, thank you for help, i'll rebuild my vm, then will add my host name to /etc/hosts and try to redeploy [11:22] degorenko, np [11:24] coreycb, hey - I switch the newton neutron builds to using ostestr - build speed picked up alot in the PPA's [11:24] and seems more reliable... [11:25] sort alot of sqlite racey things before - which I think is the cause of the FTBFS in yakkety for the mitaka point relase uploads... [11:25] coreycb, also backported git-buildpackage for trusty for liberty and mitaka - should be able to switch --merge-mode=replace on soon [11:35] coreycb, replace mode re-enabled... [11:40] jamespage, awesome thanks [11:47] coreycb, I also switched over keystone for newton [11:47] appears to test alot faster now [11:47] 19 mins vs 1hr [11:47] jamespage, wow, that's a huge improvement === degorenko is now known as _degorenko|afk === Pici` is now known as Pici [12:34] coreycb, keystone in ppa is now 16 mins vs 52 [12:35] jamespage, that is really awesome. my laptop is burning up here running neutron tests. :) [12:46] beisner, these packages are ready for promotion to kilo-updates. they've tested successfully and have aged 7 days in kilo-proposed. http://paste.ubuntu.com/16490018/ [12:47] coreycb, are there any pre-requisite charm upgrades tied to those package revs? [12:47] beisner, no not for these [12:48] beisner, while you mention it, I'm going to make a card to generalize that charm-helpers minor point release versioning so we don't have to deal with that. [12:49] coreycb, yes that'd be really nice. it seems like an easy win to not potentially break folks, and ... peace of mind :-) [12:49] beisner, definitely [12:50] coreycb, jamespage - kilo-proposed has libvirt-python and qemu. are those needing to go as well? [12:51] beisner, not yet for qemu, that's new [12:51] coreycb, ack [12:51] beisner, not sure about libvirt-python === _degorenko|afk is now known as degorenko [13:01] coreycb, beisner: libvirt-python ++ yes please === jml_ is now known as jml [13:02] https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1539506 [13:02] for reference [13:02] Launchpad bug 1539506 in Ubuntu Cloud Archive liberty "AttributeError: 'virDomain' object has no attribute 'fsFreeze" [Medium,Fix committed] [13:02] coreycb, reverted merge-mode again [13:02] apparently my backported package was foobar. [13:02] jamespage, doh [13:03] jamespage, need anything? [13:10] coreycb, nah - back in now - testing atm [13:11] coreycb, hows microversion-parse? [13:11] jamespage, oh sorry, I'll work on it, I thought you said it was done === caribou_ is now known as caribou [13:18] coreycb, nope [13:31] jamespage: for the SSL errors, everything works fine on Trusty, but same manifests fail on Xenial, I have some logs [13:31] Error: Could not prefetch keystone_service provider 'openstack': Execution of '/usr/bin/openstack service list --quiet --format csv --long' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/services: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) [13:32] http://logs.openstack.org/30/308530/16/experimental/gate-puppet-openstack-integration-3-scenario003-tempest-ubuntu-xenial/cd44c41/console.html#_2016-05-18_10_16_38_727 [13:32] apache logs: http://logs.openstack.org/30/308530/16/experimental/gate-puppet-openstack-integration-3-scenario003-tempest-ubuntu-xenial/cd44c41/logs/apache/ [13:36] EmilienM: deploying now to see if I can reproduce [13:36] jamespage: thanks for your help [13:36] EmilienM: np [13:36] want to see you unblocked so you can start testing out newton packages :-) [13:36] so here's how we deploy SSL : [13:37] EmilienM: oh I have a way to deploy SSL :-) [13:37] 1) we drop /etc/ssl/certs/puppet_openstack.pem file [13:37] I mean, we put the file at this place [13:37] sure [13:37] 2) we run /usr/sbin/update-ca-certificates -f [13:38] 3) we put the cert in /etc/keystone/ssl/private/cert.pem (etc for every project) [13:38] that's all I think [13:38] it used to work fine with Trusty [13:39] EmilienM: is that for the CA cert? [13:40] the CA cert is put in /etc/ssl/certs/puppet_openstack.pem [13:40] EmilienM: hmm ok [13:40] well [13:40] in fact we use the same cert for both [13:40] https://github.com/openstack/puppet-openstack-integration/tree/master/files [13:41] we have a crt & key for ipv4 & ipv6 (because we deploy apache and use ::1 or 127.0.0.1) [13:41] EmilienM: any way you can turn up and capture the output of update-ca-certificates? [13:41] -v would be useful [13:42] jamespage: yes! we can do it [13:42] degorenko: I'm going to update the patch ^ [13:43] EmilienM: awesome [13:43] EmilienM: looking at the log I think you're writing it to /usr/local/share/ca-certificates/puppet_openstack.crt [13:43] and then running update-ca-certifcates [13:43] yeah [13:45] jamespage: can I run it afterwards the puppet run? [13:45] yup [13:47] ok let's try === xibalba_ is now known as xibalba [13:54] EmilienM: testing out my Juju deployed SSL openstack xenial mitaka foo now [13:54] excellent [13:54] jamespage: how do you deploy SSL? [13:54] can you point me to the charms? [13:54] (see how good is my vocabulary) [13:55] EmilienM: kinda the same way you do - the keystone charm acts as a CA for everything else, and provides signed certs back to related services [13:55] ok same yeah [13:55] which then use them and update their endpoint entries todo https [13:56] EmilienM: OK so I'm looking functional with https enabled... [13:56] EmilienM: that's from a xenial client to a xenial cloud [13:56] ok, let's see [13:57] EmilienM: that's good because it broadly means we're not looking at a code fault somewhere in the stack on installed things... [13:57] EmilienM: how do you generate your CA and cert? I wonder whether its something about them that xenial does not like [13:58] jamespage: on http://www.selfsignedcertificate.com/ [13:58] I'm very lazy, I know. [13:58] but it just works [13:59] EmilienM: so how does the chain of trusty work with those? [13:59] puppet_openstack.crt is the cert for the signing CA? [13:59] jamespage: yes [14:00] our certs are here: https://github.com/openstack/puppet-openstack-integration/tree/master/files [14:00] we have a pair of cert/key for ipv4 & ipv6 [14:01] hmm this rings a bell for some reason... [14:01] EmilienM: I suppose those match to localhost right? [14:02] jamespage: 127.0.0.1 and ::1 [14:02] we don't match on localhost because we want to test ipv4 & ipv6 endpoints [14:02] jamespage: but ipv6 tests don't run on ubuntu, so consider 127.0.0.1 only. [14:02] ok [14:03] EmilienM: verbose output of that update-ca-certifcates looks like it might help [14:03] EmilienM: I'd like to check that your cert is getting into /etc/ssl/cert/ca-certificates.crt [14:03] yeah, CI is currently running [14:03] you can grep for a line or so in that file to match [14:08] EmilienM: might be relevant [14:08] http://www.python.org/dev/peps/pep-0476/ [14:08] trusty has a pre 2.7.9 python 2.7 version [14:09] ok I have logs [14:09] a sec [14:10] EmilienM: OK my SSL cloud appears completely functional, so it must be something todo with the way you're doing cert and building the trusty chain [14:10] just a hunch [14:10] trust chain [14:10] not trusty... [14:10] ok [14:10] I'm trying to get the logs [14:11] job is still running, will show output in a few min [14:12] ok stepping away for a bit... [14:12] biab === not_phunyguy is now known as phunyguy [15:03] my network card not bringup at the start/boot, i need do a ifdown eth0 and then ifup eth0 how to fix it? [15:29] rbasak: i assume you're gone already, but if not o/; and if so, can we sync up tmrw AM? [15:42] hallyn, somehow your 1.3.4 libvirt merge did upgrade without issues and it even seems to boot Xen PV and HVM guests... I wonder what I am doing wrong... ;) nice job [15:54] smb: did you get a systemctl preset error on upgrade? [15:54] once i finish testing my kernel patch i was going to try and reproduce that with a minimal empty pkg set === ShaRose_ is now known as ShaRose [15:57] hallyn, hm, not that I remember. I might have missed it if it did not cause a upgrade failure. But systemctl status on libvirtd was ok. Not sure whether one would now expect libvirt-bin to be the alias (or whether that actually is possible) [15:58] smb: it is now the alias, and on clean installs that works [15:59] jamespage: http://logs.openstack.org/30/308530/18/experimental/gate-puppet-openstack-integration-3-scenario002-tempest-ubuntu-xenial/e17a5b4/console.html#_2016-05-18_15_26_02_283 [15:59] hallyn, ah ok. so that would be the only odd thing "systemctl status libvirt-bin" reports it as not running. Even after reboot... [16:00] jamespage: and http://logs.openstack.org/30/308530/18/experimental/gate-puppet-openstack-integration-3-scenario002-tempest-ubuntu-xenial/e17a5b4/console.html#_2016-05-18_15_26_13_161 [16:00] smb: yeah i think that may even be the whol eproblem - maybe systemd is trying to set up the symlink for the Alias and that fails bc something already exists [16:02] hallyn, I believe that is what is done. But I don't know how one is supposed to cleanly do that switch-over [16:02] :) I can tell you that it worked before an init-system-helpers update in yakkety [16:02] so it still may really be a bug there [16:03] or, i was always doing something wrong and the old code just let it fly [16:05] hallyn, :) I would not want to claim I knew what is right or wrong when it comes to systemd... one thing I just noticed is that status reports active running and then "bad" whatever that means [16:14] is the pagkage PuppetMaster still broken for 16.04? I'm trying to install it through apt-get, and it fails [16:15] jeeves_moss: fails how? [16:15] nacc: "Job for puppetmaster.service failed because a timeout was exceeded. See "systemctl status puppetmaster.service" and "journalctl -xe" for details." [16:16] nacc: full error ---> http://pastebin.com/3KNDZ4Nx [16:17] jeeves_moss: anything in the referred to logs (feel free to pastebin them too) [16:17] one sec. I'll have a look once this wget is done [16:19] smoser, is it possible to do "xnox hates cloud-init networking" via cloud config drive and/or via user data and/or vendor data? [16:22] ugh, I miss having a box in the datacenter. Trying to do a setup at home takes forever! [16:27] nacc: lol. looks like it couldn't make the .pid file. [16:29] jeeves_moss: permissions? [16:29] nope. [16:30] nacc: "puppetmaster.service: Failed to read PID from file /run/puppet/master.pid: Invalid argument" [16:30] jeeves_moss: does said file exist? and have valid contents? [16:31] the file didn't exist. so I tried touching the file, and re-running the installer [16:33] jeeves_moss: it probably needs a pid in it [16:33] jeeves_moss: but i might be wrong [16:33] nacc: http://pastebin.com/WWWw7Hny [16:34] jeeves_moss: that still happens you mean? or was the original error? [16:35] nacc: orignial error. new server, new install [16:35] jeeves_moss: and after `touch` it gets further? [16:35] jeeves_moss: just fyi, it would be good to file a bug (or see if one si filed) for puppetmaster that it fails to install due to the above [16:36] I had a look through the service file, and it should be "master.pid" [16:37] I'm going to see if it fails again. [16:37] would be nice if I can fil a bug. would be the first one I've ever filed [16:37] !bug | jeeves_moss [16:37] jeeves_moss: If you find a bug in Ubuntu or any of its derivatives, please file a bug using the command « ubuntu-bug » - See https://help.ubuntu.com/community/ReportingBugs for other ways to report bugs. [16:38] :) === jgrimm is now known as jgrimm-afk [16:39] typical. most things I want are always broken [16:40] jeeves_moss: fwiw, the version in 16.04 (and yakkety) is the same as in debian, so it's probably a debian bug, really -- would be good to verify if it happens there too [16:41] not strictly necessary, but it will probably get asked in teh bug :) [16:41] nacc: lol. no body's got time for 'dat. --> http://s2.quickmeme.com/img/a0/a0ed68c2b414e58e131e7fa1c7ac66e4df4a14d30df577734812cdb95d9aaa99.jpg [16:43] ohhhh, new error!!! java ins't installed. might be a dep problem here guys [16:43] all of this to manage 8 machines [16:45] jeeves_moss: puppet shouldn't need java? it's a ruby tool [16:45] i thought [16:46] hummm, we shall see. I tried intstalling the latest snapshot from puppetlabs, and that's what I got. so, we shall see [16:46] jeeves_moss: hrm? so not the ubuntu pacakge? [16:46] no, I grabbed the latest from their site. if it installs, then the one oin the repo is suspect [16:48] nacc: it says puppetserver requires java [16:49] jeeves_moss: "it" being their version? [16:49] their being puppetlabs? [16:50] yes. the latest from puppetlabs. if that package works, then there is something wrong with the package in the ubuntu repo [16:50] well, they are different versions clearly [16:51] jeeves_moss: puppetmaster (ruby based) is not to be confused with puppetserver (java based) [16:51] sdeziel: thanks [16:51] nacc: np [16:53] sdeziel: any ideas on how to fix this install issue? [16:54] jeeves_moss: the puppetserver or the puppetmaster on? [16:54] s/on/one/ [16:54] sdeziel: puppetmaster [16:55] sdeziel: this is the error we are getting. http://pastebin.com/3KNDZ4Nx [16:56] jeeves_moss: I don't have any experience with puppetmaster directly. I've only used "puppetmaster-passenger" on Trusty [16:57] jeeves_moss: if you pastebin "systemctl status puppetmaster.service" and "journalctl -xe" I could look at them though [16:57] sdeziel: the outputs are in http://pastebin.com/3KNDZ4Nx [16:58] jeeves_moss: I only see the apt install failure log [17:00] hummm. one sec. it looks like even the latest pagakge from puppetlabs suffers the same issue [17:01] jeeves_moss: upstream focus seems to be on the Java based daemons (puppetserver and puppetdb) so it's possible they legacy version isn't in top shape [17:01] hummmm [17:02] at this rate, I should just abandon this mess [17:02] jeeves_moss: but for those you will get better support in their own channel [17:03] I've asked in there, it's a ghost town! [17:04] jeeves_moss: hmm OK. If you want a puppetmaster/server and want to use the upstream apt repo, you are better off using Trusty because they don't yet officially support Xenial as the server role [17:06] sdeziel: fun. how do I get the previous release if I'm installing with Apt-get? [17:07] jeeves_moss: apt-get install foo= [17:07] hummm, google!! [17:22] jamespage, https://git.launchpad.net/~corey.bryant/ubuntu/+source/python-microversion-parse [17:59] hi there everyone [17:59] I wonder if I could get a little advice please? [18:00] about me running my home server with Ubuntu Server installed [18:00] my network card not bringup at the start/boot, i need do a ifdown eth0 and then ifup eth0 how to fix it? [18:01] davethenoob: A more specific question might be more useful for someone to give an answer to :) [18:01] !ask [18:01] Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience [18:02] !poll [18:02] !best [18:02] damn bot [18:02] !giveupwhilstyoureahead [18:02] hah. fair point. So I have my server installed and have had owncloud running on it and all good. Except that it started running slow and would upload photos to owncloud, which made me think it could have been a ddos attack. My question is can you recommend some good steps to do tonight to help minimize that risk? [18:02] patdk-lap any advice? [18:03] thanks in advance [18:03] its 14.04 [18:03] coreycb, oh i forgot to confirm that i pushed kilo-proposed to updates, except for qemu earlier. === wendar_ is now known as wendar [18:06] beisner, cool thanks [18:06] davethenoob: Move ssh from port 22 to something more obscure, above 1024. Use key based authentication and not password based. Install and configure fail2ban [18:08] genii, how does any of that help? [18:08] he wants ddos protection [18:08] you cannot protect yourself against a ddos unles you have enough bandwidth to handle it, or you hide behind someone that does [18:08] you could completely firewall port 22 and not evne have ssh or any other service open [18:08] i have a home server that I want to access from outside home with owncloud and subsconic [18:08] but your still vaunerable to a ddos [18:09] I have pasted an iptables rule into terminal [18:09] iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT [18:09] that one [18:09] davethenoob, what is the goal? [18:09] cause nothing you do on that server will help protect you from a ddos [18:09] that limits http connects, not ddos [18:09] patdk-wk: When someone is trying to bruteforce ssh passwords, it effectively chews up all the bandwidth and can cause outages [18:09] and used iptables persistent for it [18:10] genii, yes, but that is hardly ddos protection [18:10] he asked for ddos [18:11] now to do more, stop bad/unwanted things from using your bandwidth, there are millions of things yo ucan do [18:11] but you should find out what is using your bandwidth to find out what you should attempt in what order [18:12] but no matter what you do, it is a simple job for someone to ddos you, just by flooding too much traffic to you [18:12] it doesn't matter if you have an iptables rule that says DROP all incoming [18:25] thanks for advice guys. [18:25] After thinking, I think im gonna just make it a local server and not accessible outside [18:25] for safety [18:26] or start off local then maybe make it web-facing when I have some more knowledge / confidence [18:44] ~/win 8 [19:07] can someone help me on how a thinclient connects to a vm on either xenserver or vsphere esxi? how do i setup a thinclient to connect to a vm on a server? [19:09] what is this *thinclient*? [19:09] what protocol does the thinclient use to boot into a vm? what server serves the thinclient [19:09] a thin client machine - no cd/dvd, no hard drive. just boots a VDI off the network. [19:10] very small and minimal machine [19:10] ok, but what does that have to do with a vm at all? [19:10] i assumed a thin client connects to a vm [19:10] how does it work then [19:11] I guess this is more a question to your thinclient seller [19:11] someone give me the basics pooo lease [19:11] you need to know what your thinclient supports, what it can do [19:11] I dunno what you mean by connects to a vm [19:11] have u ever worked/setup a thinclient before patdk-wk [19:12] the *standard* definition of a thin client is a basic monitor/keyboard has no, or very little programs installed [19:12] fellayaboy, around 15years [19:12] i thought a thin client machine boots an operating system off a server somewhere [19:12] it might, it might not [19:12] that depends on the thin client [19:12] i see [19:12] well in this case lets say it does [19:12] it might have a 1gig cf card or something [19:13] whats cf? [19:13] yes, but I don't know what one oyu have, what it wants to do, does it do iscsi? nfs? http? how does it boot, what image does it expect? [19:13] is it pxe? dhcp? === moonligh- is now known as moonlight [19:14] so thin clients can boot straight to iscsi, nfs, http, pxe [19:14] thinclients is a generic term that means nothing [19:14] i see ok makes sense [19:14] it is a catchall for any simple, reimagable bare-minimal workstation [19:15] a thinclient could be custom hardware, that runs customfirmware [19:15] it could be normal computers [19:15] it could be normal computers that boot remotely, centrally [19:15] but generally they are stripped down graphics, minimal ram, ... [19:16] well, i want to create a system where i can use cheap inexpensive thin clients that connect to a centralized server, where they can run an operating system. [19:16] normally only powerful enough generally to remote into something else, like using rdp/vnc [19:16] through the network [19:17] sounds like yo uwant to recreate vmware view with desktop hardware [19:17] your going end up running a full blown desktop os on the clients, in order to run vnc, if you roll this yourself [19:17] i guess that would be it.. ihavent used vmware view, ive used esxi server and client and rdp to connect to vm [19:18] but never used a thin client to connect to one [19:19] i want to have inexpensive thin clients connect to server. have the server do all the work etc. and so that i can expand it all i want of course. add more vm's, more endpoints. put all the load on the server. [19:20] using 10gbps network card if have to with heavy duty switch/router etc [19:20] you cannot put all the load on the server [19:20] you can only put the cpu/ram load onto the server [19:20] all graphics load will be on the client [19:20] and on the server [19:21] well not all, just want to have inexpensive endpoints thus thin clients [19:21] and the vnc/rdp/... protocol processsing on the client [19:21] that part is fine [19:21] so theres some thinclients that have in there bios a vnc/rdp protocol running already? or some kind of embedded os ? [19:21] yes [19:22] oh i see that makes sense [19:22] and some have to option to boot off iscsi and nfs right [19:23] what i want to do is create a Point of Sales network system. say for a store. using all open source technology [19:23] maybe, those are getting not as thin then [19:23] i see [19:23] well now i know that some thinclients use vnc rdp in there embedded os [19:23] that gives mea little headstart and some clarity [19:23] thank you patdk-wk [19:41] So the Vagrant Xenial cloud images are currently broken. In the past, ultlemming fixed a Vagrant cloud image issue ASAP. Is he or someone else able to fix this? [19:41] https://bugs.launchpad.net/cloud-images/+bug/1565985 [19:42] Launchpad bug 1565985 in cloud-images "vagrant vb ubuntu/xenial64 cannot mount synced folders" [Undecided,New] [19:49] mikedep333, interesting. [19:50] dpkg -s virtualbox-guest-utils is missing.. and post #7 about standard ssh keys missing.. [19:50] i am glad about that last part, security wise [19:51] Yeah. Empirically, the ssh solution is working, but the shared folders is not. [19:52] not even after manual install, like post #5? [19:52] it looks like someone builds the virtualbox kernel modules without the package being installed [19:52] jups [19:52] corporate [19:52] the other virtualbox packages are not installed either [19:53] is it fixed v20160518.0.0 (last release 2 hours ago) ?? https://atlas.hashicorp.com/ubuntu/ [19:53] So I should use those images rather than the ones on http://cloud-images.ubuntu.com/ ? [19:54] those are the same, see the last comment. [19:54] ok [19:55] I'll try them out, thanks === Boltermor is now known as Guest13746 [22:00] hello again. thanks for help earlier [22:02] I have opted for local home server with computer running ubuntu server. I know just have a pptp port open so i can vpn into home network and upload any new photos to my owncloud [22:02] are there any security measures to put in place when taking this route at all please? [22:03] davethenoob: pptp is known insecure [22:03] davethenoob: for alternatives you could check out OpenVPN or some IPsec implementations [22:04] umm. is it easy to swap? [22:04] I am complete noob to server stuff. Im just learning the ropes. Im php dev by trade [22:04] which do you suggest between the two? [22:05] davethenoob: OpenVPN as you'll be able to reuse the pptp port (TCP/1723) [22:05] davethenoob: why not just use SSH to manage the server? [22:05] davethenoob: this will save you a trip to your router's config [22:06] all i need it for is to access music on my subsonic, or photos on owncloud, both through android apps pointing to 192.168.x.x [22:06] I just want a vpn to access it outside [22:07] davethenoob: OpenVPN is available on Android as well [22:07] sdeziel so i just apt-get install the openvpn, disable pptp and enable openvpn? [22:09] davethenoob: that's a good starting point. Then you'll want to head to https://openvpn.net/index.php/open-source/documentation/howto.html for the configuration [22:10] davethenoob: you can also take a look at https://help.ubuntu.com/community/OpenVPN but I'd recommend to avoid bridged VPN (tap), prefer the tun/routed style [22:12] https://help.ubuntu.com/16.04/serverguide/openvpn.html [22:12] ? [22:13] davethenoob: that's actually an excellent guide [22:14] darn it [22:14] just realized im using my raspberry pi as vpn server [22:17] davethenoob: I have to go. Good luck with the VPN [22:45] anyone here good with the apparmor? [22:45] hi Bae, what's up? [22:49] hey sarnold. glad i found someone who uses the project. i have a question about it. when i installed it and set it enabled what i saw was that it creates profiels for every bin/ binary out there. that means it creates some for ping etc. all that jazz. my question was about the default state of such bin files in the context of apparmors. as in, are they all set BY DEFAULT to inherit permissions/rules from its parent (calling process?) ? [22:50] Bae: it depends upon the profile of the calling process. If the calling process is unconfined, then the "attachment specification" at the start of the profile says which programs to confine and with which profile [22:50] an example of this would be. say i made a nodejs file that calls the ping binary. would the ping binary BY DEFAULT (right after installing apparmor) be set to inherit apparmor permissions from the parent? as in if the parent is not allowed to access the network the ping service would be denied by apparmor? [22:51] Bae: does your nodejs program run confined or unconfined? [22:51] sarnold, confined. and that will be enforced [22:52] Bae: if you want to allow ping to run as expected, you could use /bin/ping Px, rules in the nodejs program's profile [22:53] sarnold, a better example i thought up right now would be something like say, if my nodejs profile is not allowed to edit a file in directory say /home/someone/blockedDir/. i would add deny rules in the nodejs profile. cool. but what if nodejs calls another process to run (another binary) that is set to access that very folder? i want to make sure that that child process binary cannot also access that particular folder ONLY if nodejs calls it [22:54] Bae: if you want to forbid ping's networking but still let it be run (for whatever reason...) you could use /bin/ping Cx -> ping, rule, then add a "child profile", something like "profile ping { ... }" to your nodejs profile.. [22:55] Bae: if you want to forbid ping's networking but still let it be run (for whatever reason...) you could use /bin/ping Cx -> ping, rule, then add a "child profile", something like "profile ping { ... }" to your nodejs profile.. [22:55] OH i see what you mean sarnold. so that means i could leave the ping binary as is. and then in the node js {} i add a nest that shows the binary for ping {} that disallows it. cool. [22:56] shows the rules for ping {}* [22:56] Bae: you could also use 'ix' rules instead of 'cx' -- then they'd run with the same privileges. But I like to encourage Cx where practical, since it can often be a drastic reduction in what privileges are allowed where [22:56] i should say [22:57] sarnold, if i were to use ix (inherit right? ) i would have to set ix in the ping binaries profile right ? not in the branched profile of the nodejs one [22:58] Bae: btw, even though apparmor does all you to write e.g. "allow /home/** r, deny /home/sarnold/** r," it's really best to stick to _whitelisting_ as much as you can. It's often possible to construct attacks that get at data that is denied via a "deny" rule [22:58] yeah thats the plan. the deny thing was an example. my idea is to only whitelist certain directories and functions [22:58] Bae: the nodejs' program's profile would use "/bin/ping ix," -- and the global /bin/ping profile is left alone completely [22:58] Bae: okay, good, good :) [22:59] sarnold, the /bin/ping ix in the nodejs programs profile is not saying "inherit rules from ping" ? [22:59] because i want the ping to inherit from node. not node to inherit from ping [22:59] Bae: correct; it is saying "when executing ping, it inherits this current profile" [23:00] ok let me do a quick clarification example if u dont mind [23:00] or, rather, "when a program executing in this profile executes ping, ping inherits this current profile" [23:01] AH Yes [23:01] ok [23:01] so in here: http://pastebin.com/ArQFSCeF this is saying. when ping is born from nodejs app. ping inherits from nodejs app. right? [23:02] Bae: ahh, skip the "-> child1," bit when using ix rules [23:02] thats from the site lol [23:02] sorry [23:02] Bae: it is? can you link me? :) [23:03] maybe they did it for clarifications but here: so sarnold to ensure maximum security [23:03] ugh [23:03] http://wiki.apparmor.net/index.php/QuickProfileLanguage [23:05] so sarnold to ensure maximum security what i could do then is in the nodejs app i could put all the names of binaries that are profiled and tell them all to inherit rules from the nodejs app. in this way, any sort of exploit into the nodejs children processes would be thwarted. what do you think about it ? [23:05] Bae: you should only need to add 'ix' rules for programs that your nodejs program actually executes [23:06] sarnold, so what is best way to see what programs nodejs executes? or rather, apparmor detects that the nodejs program executes ? [23:06] Bae: if it only ever calls awk and sed, for example, you could just add /usr/bin/awk ix, /bin/sed ix, and be done :) [23:06] Bae: aa-logprof should prompt you for them, but.. that family of tools is cranky. please file bugs as you find them. :) [23:06] oh ok [23:07] yeah i was thinking of something like valgrind that shows all the processes as you run it [23:07] but in apparmor :p [23:07] Bae: you'll find them in the logs: apparmor="DENIED" operation="exec" profile="/tmp/bash" name="/tmp/ls" pid=21726 comm="bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 [23:08] or apparmor="ALLOWED" if you're running the profile in learning mode, of course [23:09] so the best way for me to proceed right now to ID these processes first would be to run it in permissive mode and generate logs and unit test the full app [23:09] then grep those logs for all the processes generated. then add those in the nodejs app profile in apparmor with the ix [23:09] you ought to be able to get apparmor to report all execs using something like (UNTESTED): "/tmp/bash { file, audit /** ix, }" :) [23:09] to make sure that all the processes nodejs can ever generate, will be inheriting rules from the original one :) [23:10] ah thank you so much sarnold you are very helpful :D [23:10] Bae: the aa-genprof tool should step you through those steps :) [23:10] yeah i did that lol. it just generates a boilerplate [23:11] i want something i can look through. that i can see those logs and see exactly what file is called and where [23:11] aha then you sound like you -do- want to do things by hand. :) [23:11] Hello, I'm having trouble finding the xdebug config file in ubuntu server [23:11] i do yes sarnold [23:11] anyway i will be saving this conversation [23:11] i dont mind getting my hands dirty [23:13] Bae: there's also #apparmor on irc.oftc.net in case there's no one around here who can help [23:15] oh i did not know that! thanks so much :) [23:15] sure thing :) have fun :) [23:15] yeah sarnold thank you so much for all your help