/srv/irclogs.ubuntu.com/2016/05/20/#ubuntu-server.txt

HappySomethingSo	What changed in regards to setting up a static ip on 16 vs 24?	00:00
HappySomethingSo	thanks	00:00
HappySomethingSo	vs 14*	00:00
sarnold	"no longer works", what fails?	00:00
HappySomethingSo	it doesn't set the assigned ip	00:00
HappySomethingSo	sarnold: this is what my image came with: http://pasted.co/212f34e7	00:02
HappySomethingSo	I do not recognize the last line from ubuntu 14	00:02
HappySomethingSo	sarnold: I have a feeling the problem's there	00:02
sarnold	HappySomethingSo: what is your interface named? 'ip link' should show you the name; add your configuration to the file, then try to bring it up with ifup <interfacename>	00:04
HappySomethingSo	sarnold: in /etc/network/interfaces.d I have a file named 50-cloud-init.cfg with this in it: http://pasted.co/e213548b	00:04
sarnold	HappySomethingSo: aha, does that match your interfacename?	00:04
sarnold	HappySomethingSo: do you want it to use dhcp?	00:04
genii	sarnold: Any .cfg files he makes in interfaces.d get wiped out next boot, any changes he makes to the existing file there also get reverted	00:05
HappySomethingSo	sarnold: yes, eth0 is now enxb827eb7c6bae apparently. I ant to use a static ip	00:05
HappySomethingSo	not dhcp	00:05
genii	sarnold: ( we were just going through this issue in #ubuntu and I referred him here for more specific help )	00:06
sarnold	hey genii :)	00:06
* genii waves		00:07
sarnold	HappySomethingSo: are you using cloud-init intentionally? if not maybe the easy answer is uninstalling it	00:08
HappySomethingSo	sarnold: it's a fresh image, I haven't touched anything	00:09
HappySomethingSo	what exactly is cloud-init?	00:09
sarnold	cloud-init makes it easy to fire up VM images (or actual hardware, in the case of MAAS) and have them "autodiscover" their configuration: networking, package repositories, new users, packages to add, etc. I find it a bit underdocumented but they have some nice examples up that give the flavor of what it does: http://cloudinit.readthedocs.io/en/latest/topics/examples.html	00:10
HappySomethingSo	sarnold: I see, well if it came preinstalled I'd rather not meddle with it	00:11
HappySomethingSo	ok	00:11
HappySomethingSo	I think I've got it	00:11
TJ-	that explains it, "50-cloud-init.cfg" is created by cloud-init, so of course it'll get overwritten	00:11
sarnold	HappySomethingSo: interesting, this feels like it might also interact poorly with this bug https://bugs.launchpad.net/cloud-init/+bug/1571004 -- but I'm not 100% sure ..	00:12
ubottu	Launchpad bug 1571004 in cloud-init "apply networking only on first instance boot" [Medium,In progress]	00:12
genii	Now that my curiosity is sated, I'm off to watch hockey	00:12
HappySomethingSo	sarnold: genii: TJ-: I managed to get the static ip working, I edited /etc/network/interfaces like usual but used the new interface name instead of eth0 (which is werid because it was called eth0 on the 50-cloud-init file until I rebooted it a couple of times)	00:13
sarnold	HappySomethingSo: and it sticks across reboots?	00:14
HappySomethingSo	sarnold: I've rebooted it twice more and it seems like it's staying on the desired ip	00:14
HappySomethingSo	so it was a problem with the interface names	00:14
HappySomethingSo	thank all of you for your help	00:15
sarnold	HappySomethingSo: excellent, I'm glad that was sufficient. :) like I said, I find cloud-init underdocumented, so I feared trying to find the fix if something simple didn't do it. :)	00:15
HappySomethingSo	I was quite lost	00:15
HappySomethingSo	:)	00:15
sarnold	there's Good Reasons for these new interface names but it's going to take me another twenty years or something to get used to them.	00:15
HappySomethingSo	sarnold: yeah, I thought something had gone wrong and that it was an error when I first saw the new name	00:16
sarnold	understandable :)	00:18
Datz	Hi, I'm having trouble network troubles with my install of 16.04. I can't install packages, and I can't ping outside servers. I'm currently logged in remotely though. I think there is some sort of DNS trouble. Any ideas?	02:08
sarnold	can you ping by ip address? try e.g. ping 8.8.8.8	02:09
Datz	This is what I'm getting trying to install a package : http://hastebin.com/iwozasesig.vhdl	02:11
Datz	sarnold: yes, I can	02:12
sarnold	Datz: alright, cat /etc/resolv.conf -- that should list some nameservers. ping each one in turn..	02:12
Datz	ok	02:13
Datz	sarnold: resolv.conf appears to be two commented lines long	02:14
OerHeks	Datz, on 16.04?	02:14
Datz	yes	02:14
OerHeks	then you suffer this bug, https://bugs.launchpad.net/ubuntu/+source/appstream/+bug/1579712	02:14
ubottu	Launchpad bug 1579712 in appstream (Ubuntu Xenial) "Refresh hangs due to strdup on non-NULL terminated string" [Medium,Fix committed]	02:14
Datz	think so.. just installed today	02:14
OerHeks	lot of heat.. remove it, and you'll be fine, patch is in proposed	02:15
sarnold	OerHeks: .. how does that bug lead to busted dns?	02:15
OerHeks	you don't need that appstream , it is optional	02:15
Datz	so run sudo appstreamcli refresh --force ?	02:15
OerHeks	sarnold, not sure how, but removal fixed it for a lot of users in #ubuntu	02:15
sarnold	OerHeks: ouch :/	02:15
OerHeks	i know, ugly fix ..	02:16
sarnold	Datz: well, lets try OerHeks's suggested fix :) apt-get purge appstream	02:16
Datz	ok, will do	02:16
sarnold	OerHeks: did they need to do anything else along the way? re-poke apt in the eye or reboot or something else?	02:17
OerHeks	ehm, good point. after removal, i would (try) to rerun apt update	02:18
Datz	purged.. still not resolving.	02:18
JanC	actually, the package in -proposed doesn't fix that bug :)	02:18
OerHeks	#30 john wang - The reason I warned against removing the binary is because it's a bad practice in general, even though in this particular problem scenario the removed binary gets restored when its package is upgrade	02:19
OerHeks	:-(	02:19
JanC	or, wait, maybe it's because it tried to install appstream before libappstream or something	02:20
JanC	right, that was it	02:23
Datz	So, is there a workaround or fix, or am I holding tight for now?	02:23
sarnold	OerHeks: I think that was specific to the "rm /usr/bin/appstream*" advice or whatever it was	02:24
JanC	Datz seems to have a DNS issue	02:25
sarnold	Datz: well, as a half-ass solution you could try adding "nameserver 8.8.8.8" to your /etc/resolv.conf by hand; that'll use google's public resolver	02:25
sarnold	JanC: OerHeks said the appstream screwup broke a bunch of people's dns. it seemed worth trying.	02:25
Datz	I like the sound of htat	02:26
Datz	that*	02:26
Datz	I think I've had to do this before actually. Maybe something with my network instead.	02:26
sarnold	if you've got a dhcp server that hands out leases without giving you dns server info that might be able to do it	02:27
sarnold	but tbh since I never see that situation that's a wild guess	02:27
OerHeks	more info now on the bug page	02:28
OerHeks	https://bugs.launchpad.net/ubuntu/+source/appstream/+bug/1579712	02:28
ubottu	Launchpad bug 1579712 in appstream (Ubuntu Xenial) "Refresh hangs due to strdup on non-NULL terminated string" [Medium,Fix committed]	02:28
Datz	sarnold: I'm not sure if that's the case or not. Adding that nameserver does seem to fix the problem though.	02:28
Datz	Will that nameserver be overwritten as stated in the comments of resolv.conf ?	02:29
Datz	Also, I guess I can add back appstream?	02:30
sarnold	Datz: meh, as far as I can tell appstream just downloads 8 megabytes of icons incase you want to browse gnome-software-center or something like that. If you're in here asking for help you'll probably never notice it's gone. ;)	02:30
Datz	Ah, yes.. no gui.. ok guess I don't need it. Surprised it was added with the netinstall.	02:31
sarnold	Datz: it's possible that the file will be re-written to be useless. if that keeps happening you can either uninstall the resolvconf package or you can figure out the /etc/resolvconf/resolv.conf.d/ files to re-add this..	02:32
Datz	sarnold: great I'll make a note, and try and do this. Thanks.	02:33
sarnold	Datz: note that there's half-billion people in the world using the google dns recursor -- while there's some safety in numbers, it feelsl ike I ought to let you know that that -is- a step outside of whatever the machines next to you might be doing	02:33
sarnold	Datz: so e.g. local hostnames may not resolve correctly, or a local cache may do a better job for you. (or google's might be faster. most ISPs suck at running DNS so many people do get better results with google...)	02:34
Datz	In the past I've added google's DNS servers without every really thinking about it. Maybe my isp is better ,I don't know :)	02:36
Datz	I assume I can add some redundancy..	02:39
sarnold	funny thing with dns, redundancy isn't always better -- finding one server that works is way better	02:41
sarnold	and dns is super strange, the recursors get far better the more traffic they have	02:41
sarnold	if they have all data already cached because someone else asked for a second ago, you'll get a muchf sater response..	02:41
sarnold	one hot recursor is almost always better than two cool recursors	02:42
sarnold	in stark contrast against e.g. web servers where multiple cool servers are usually better than one hot server :)	02:42
JanC	it depends on how hot, of course	02:44
JanC	webservers use lots of caching too (filesystem cache, database table/query cache, memcached, etc.)	02:45
sarnold	yeah, if you can get webserver ram served stuff, that's best :)	02:46
patdk-lap	sarnold, depends :)	02:50
sarnold	patdk-lap: just buy more ram of course! :)	02:50
patdk-lap	caching helps, but not tuning the recursor properly and giving it too much ram	02:50
patdk-lap	can cause it to get slow as crap	02:50
patdk-lap	ya, but unlike most things, dns is one huge hash table lookup, can cause all kinds of issues when it gets large	02:51
patdk-lap	you talking normally about caching 200bytes or so maybe 1k per entry :)	02:51
patdk-lap	hot webservers are good, just not hot cgi/fcgi/... servers :)	02:52
* patdk-lap can't imagine what it would take to run 10k r/s wordpress site, without static caching		02:53
sarnold	but 10qps dns recursor ought to be standard desktop thing :)	02:54
patdk-lap	10qps dns is less than a web browser does :)	02:55
sarnold	of course i meant 10kqps :)	02:56
sarnold	10qps .. well, tandy 1000 :)	02:56
JanC	tandy 1000 would have zero memory left for caching probably :P	02:57
patdk-lap	sarnold, dunno	02:58
patdk-lap	my large dns installs, are only doing 1kqps recursive, and 300qps authorative	02:58
patdk-lap	using two primary large recursives, and tiny ones on the smtp servers	02:59
AndyWojo	the link to hp moonshot on the arm server page is broken btw	03:51
AndyWojo	http://partners.ubuntu.com/hp?_ga=1.169315112.868843675.1460222902	03:51
AndyWojo	http://www.ubuntu.com/download/server/arm down at the bottom	03:51
AtuM	Hi. I am having some trouble starting nfs-kernel-server as rpcbind starts after the nfs service. any thoughts? I see that nfs service is started by init script while rpcbind is already converted to systemd unit	06:39
AtuM	I've found bug #1558196 .. but the solution provided makes no difference	06:41
ubottu	bug 1558196 in rpcbind (Ubuntu) "ypbind not able to socket activate rpcbind under systemd, fails at boot unless something else starts rpcbind" [Undecided,Triaged] https://launchpad.net/bugs/1558196	06:41
halvors	Anyone knows if the "lo" interface is added by the kernel in Ubuntu?	07:01
halvors	Even after emptying the "/etc/network/interfaces" file it is added.	07:01
AtuM	halvors, lo is added by networking service or network-manager	07:02
AtuM	having lo is essential to many services running on linux	07:02
halvors	Yeah, the thing is that i want to disable the "network" service in favor of "systemd-networkd"	07:04
AtuM	halvors, having "lo" does not impact you then.. either way you will need it.	07:05
AtuM	it might be brought on by systemd.. i have not checked that yet..	07:06
halvors	AtuM: Yeah i know, just wondering if it's added by ifupdown or systemd :)	07:07
halvors	Not going to remove it.	07:07
halvors	AtuM: Do you know how to disable ifupdown?	07:07
AtuM	halvors.. check /etc/init/network-interface.conf.. there are some definitions there..	07:07
AtuM	systemd still needs configuration files to do anything	07:08
halvors	Yeah i know.	07:08
AtuM	in the mentioned conf file it is stated for "lo" : # bring this up even if /etc/network/interfaces is broken	07:09
AtuM	so there you have it	07:09
AtuM	halvors, no, i've never tried to disable ifupdown.	07:11
halvors	Ah ok, thanks :)	07:12
AtuM	how would i tell systemd to start rpcbind before nfs-kernel-server ? I'm doing a workaround by restarting both services inside rc.local, but i really do not like doing things this way	07:13
sobersabre	hi, I managed to configure my ubuntu server as a member to active directory. I have ids problem.	08:05
sobersabre	I also ran ldapsearch and it seems there's some kind of pre-defined list of attributes used by ldapsearch	08:05
sobersabre	I'm noticing the attributes I want to be mapped in /etc/ldap.conf are not listed in the LDIF query result.	08:06
AtuM	ubuntu's defaults are not made for microsoft ad. you might need to adjust those attributes	08:10
Walex	sobersabre: schemas...	08:35
davethenoob	hey yall	10:12
davethenoob	I have a vpn question if i may?	10:13
davethenoob	i have tried setting up openvpn on my raspberry pi and moved client key to phone and used openvpn client on android phone, but the connection just stays at 'waiting server response'	10:19
davethenoob	After trying many times various openvpn guides, i have decided to go back to using pptp, which i have set up before	10:19
davethenoob	is there a way a making pptp a bit more secure? Limiting to a specific device to connect from etc?	10:20
davethenoob	not completely ubuntu-server, but i am trying to connect to my network to get access to my owncloud/subsonic, which is on ubuntu server	10:20
davethenoob	thank you in advance	10:20
rbasak	I wouldn't trust pptp. I'd focus on making openvpn work.	10:21
rbasak	It might be worth running tcpdump on the server to see if two way traffic is getting through.	10:22
TJ-	davethenoob: first thing on the server-side is consult and watch the logs, having enabled additional verbose debug log messages	10:23
frickler	jamespage: chown -R root:neutron /etc/neutron/ in neutron-common.postinst breaks our deployment, was this added recently?	10:27
davethenoob	hmm okay	10:28
davethenoob	ill give it another go	10:28
jamespage	frickler, not changed for a long time...	10:28
jamespage	Date: Thu Apr 30 15:29:57 2015 +0200	10:29
jamespage	was the last touch on that file - and tbh that was the creation of the git repo its in...	10:29
davethenoob	how does tcp dump work? Do run it and then connect from phone client?	10:29
frickler	jamespage: ok, well, nevermind then, nothing that a decent chef-client run couldn't fix ;)	10:30
davethenoob	can anybody recommend a good step by step guide for installing openvpn on raspberry pi? Ive tried a couple and one video guide.	10:30
robb_nl	try #raspberrypi or #openvpn	10:31
TJ-	davethenoob: "apt-get install openvpn" and add a config in /etc/openvpn/server/ I think it is	10:38
jamespage	coreycb, added ironic, trove and nova-lxd to CI; ironic does not like xenial; nova-lxd foobar on newton generally	12:08
coreycb	jamespage, ok	12:09
coreycb	jamespage, we were 100% success at one point yesterday	12:09
jamespage	coreycb, yup	12:10
=== Guest24582 is now known as devil_
jamespage	coreycb, ddellav: horizon bugs could do with some love. https://bugs.launchpad.net/ubuntu/+source/horizon/	12:34
coreycb	jamespage, I'll take a look	12:35
PMunch	Hi, I'm having a little trouble after I updated from 14.04 to 16.04	12:40
PMunch	The problem I'm having is that suddenly none of my git repositories are working	12:40
PMunch	http://pastebin.com/TLCBYxPA that's the error I'm getting when I'm trying to pull a repo.	12:42
=== chuck__ is now known as zul
Sagar	udo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied	13:44
Sagar	sudo*	13:44
Sagar	ubuntu xenial 16.06	13:45
Sagar	what can be the issue?	13:45
RoyK	16.04, perhaps	13:45
RoyK	but what is org.freedesktop doing on a server?	13:45
Sagar	idk	13:45
* RoyK find systemd confusing		13:47
RoyK	s/find/finds/	13:47
Sagar	o.O	13:48
TJ-	its the Dbus path to the IPC damon	13:48
Sagar	is it?	13:48
TJ-	the path is the freedesktop specificied path	13:49
TJ-	Sagar: as I asked in #ubuntu, did the system boot using Upstart? in which case that error would make sense	13:49
Sagar	idk how can i check that?	13:49
TJ-	possibly "cat /proc/cmdline" will have an 'upstart' or something on the line	13:49
Sagar	cat /proc/cmdline => BOOT_IMAGE=/boot/vmlinuz-4.4.0-22-generic root=/dev/md1 ro rootdelay=10 net.ifnames=0	13:50
TJ-	Nope	13:50
TJ-	"permission denied" ... have you modified the sudoers entries at all?	13:50
Sagar	yes	13:51
TJ-	Sagar: so you shot yourself in the foot?	13:51
Sagar	i am root	13:51
Sagar	this is my /etc/sudoers	13:52
Sagar	http://pastebin.com/tChH3sFE	13:52
TJ-	you're root but calling it with sudo?	13:53
TJ-	how about just "systemctl status apache2.service ?	13:53
Sagar	Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied	13:53
Sagar	still the same	13:53
Sagar	is it policy kit?	13:54
TJ-	The error is coming via Dbus	13:55
Sagar	then what should i do?	13:56
Sagar	TJ-?	13:59
TJ-	Sagar: well first I'd return to a vanilla sudoers to determine if those changes are responsible or not (generally its' better not to edit /etc/sudoers but add an additional file with e.g. "visudo -f /etc/sudoers.d/my_admins "	14:00
TJ-	Sagar: I'd also do a reboot in case this is a one-off	14:00
Sagar	rebooted already	14:01
Sagar	i just removed php from my server	14:02
Sagar	after that iam getting these issues	14:02
TJ-	Did something else get removed too? check the /var/log/apt/history.log and /var/log/apt/term.log in case	14:03
jamespage	coreycb, 12 packages togo until 1000 uploads...	14:11
coreycb	jamespage, ha! where do you see that?	14:12
jamespage	coreycb, https://launchpad.net/~james-page/+uploaded-packages	14:12
coreycb	jamespage, that's got to get a karma bonus :)	14:13
jamespage	I'm waiting for achievement unlocked to resound across my office.. :-)	14:13
genii	sarnold: So, did HappySomethingSo's issue last night end up to be cloud-init, in the end?	14:13
coreycb	jamespage, lol	14:14
coreycb	jamespage, I'm fixing cinder for newton	14:26
jamespage	coreycb, microversion-parse is in unstable; I missed two copyright holders for monascaclient - sorting that now	14:26
coreycb	jamespage, ok	14:26
coreycb	ddellav, I see you signed up for glance in the spreadsheet. it's building ok so I think we can hold off until the next breakage.	14:28
coreycb	ddellav, did you do some work on oslo.cache? I see you have it marked as done	14:30
coreycb	ddellav, let me know if you need a sponsor	14:30
halvors	I have a router running linux and a problem with a TCP connection that comes in another interface than it went out is being dropped somehow. This is IPv6, does the kernel do any reverse path filtering?	14:46
ezicial	Ahoy all, I'm looking for help / advice on setting up an IRC server on a dedicated Ubuntu server, the purpose of which is to create a web based IRC chatroom on a website.	14:54
Sling	ezicial: it's probably much easier to use an existing irc network to create a channel	14:54
Sling	unless you have good reasons not to use one	14:54
ezicial	Sling: nope no good reason, we just have the dedicated server so thought why not, it could be interesting...	14:55
Sling	ezicial: having a communication channel on another server is especially useful if you want your community to still be able to reach each other when the server is down :)	14:56
nacc	there is also webchat.freenode.net already	14:56
ezicial	Also I have no idea what the rules are with regards to freenode, etc.'s policy on creating chatrooms for a particular site. In this case an internet radio station.	14:58
ezicial	Don't want to step on any toes if it can be avoided.	14:58
Pici	ezicial: #freenode can help explain	14:58
ezicial	Out of interest sake though, is there any reason not to create our own IRC server other than possible down time (which doesn't really apply since the website is hosted on the same server anyway)?	15:01
Sagar	i am getting this error	15:01
Sagar	root@wolf:~# sudo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied	15:01
ddellav	coreycb ok i'll hold off on glance and yes, oslo.cache is ready, i'll push the repo and send you the link for sponsor directly	15:01
Sagar	what could be wrong?	15:01
coreycb	ddellav, ok. feel free to grab broken packages to work on that have a red dot on the ci dashboard. we're at a point now where most everything is successful and we can spend a little time each day on daily maintenance.	15:04
coreycb	ddellav, how's heat?	15:04
ddellav	coreycb ok, i'll keep an eye on the dashboard. Heat is done. It seemed to create the config properly the way I had it but I updated it with your suggestions. I'll re-push in a minute	15:06
coreycb	ddellav, jamespage: I pushed a new version of cinder for newton, that should fixup today's failure	15:08
maswan	ezicial: no, not particularly, but irc servers are not very widely used as packaged, so you might find some rough corners as you try to set it up	15:10
ezicial	maswan: yep, already seeing some of those rough corners...	15:13
Sagar	i am getting this error root@wolf:~# sudo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied	15:27
ddellav	coreycb lp:~ddellav/ubuntu/+source/oslo.cache ready to go, heat is having build failures after i changed d/rules, looking at them now	15:54
Sagar	anyone who could tell me why i am getting permission denied issue on root@wolf:~# systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied	16:07
ddellav	coreycb i think what happened with heat was because i moved my changes to the master branch and there are dependency issues: https://launchpad.net/~ddellav/+archive/ubuntu/xenial-newton/+build/9778758	16:15
coreycb	ddellav, did you bump those requiremetns up?	16:16
ddellav	coreycb i did not touch d/control at all. Only change I made was to d/rules	16:16
coreycb	ddellav, that's odd. send me a link to your package.	16:17
ddellav	coreycb however jamespage did have an unreleased version bump in the repo that my changes attached to	16:17
coreycb	ddellav, that's probably just daily ci fixes	16:17
ddellav	coreycb lp:~ddellav/ubuntu/+source/heat	16:18
coreycb	ddellav, fwiw heat is building ok. 4 successes today.	16:18
coreycb	on the daily build ^	16:18
coreycb	ddellav, you'll need to build that with the daily snapshot, so use the daily snapshot process	16:20
coreycb	ddellav, also leave the version as 0ubuntu1	16:21
coreycb	ddellav, wait...	16:21
ddellav	waiting	16:21
coreycb	ddellav, nevermind, yes do that and we won't upload the fix until b1	16:21
ddellav	coreycb remind me what is the daily snapshot process? Is that the pastebin james posted about core releases?	16:22
coreycb	ddellav, oh and the depwait you're getting is because you're building it in a xenial ppa	16:22
coreycb	ddellav, yes	16:22
ddellav	ok, i'll use yakkety	16:22
Sagar	service apache2 start doesn't show any output, i am on ubuntu 16.04 xenial	16:23
mpjetta	does anyone know if the 70-persistent-net.rules udev interface tricks should work in 16.04 ? I have a server that can’t decide if the NIC is rename3 or rename5 ;(	16:28
Sagar	service apache2 start doesn't show any output like it used to starting/running .... apache2 [ok], i am on ubuntu 16.04 xenial	16:32
riz0n	Hello - I have an Ubuntu 14.04 LTS web server and I am trying to make some changes to its behavior. Currently, I have each user's web page within their home folder (for example, www.foo.com would be /home/foo/www). The problem I'm running into is that each time a file is added, permissions have to be re-set to allow that file to be accessible by Apache. I am trying to eliminate that.	16:32
riz0n	What I was thinking was create /var/www/foo.com and give the user mike and group foo permission to this, then create a symlink from /home/foo/foo.com to /usr/var/foo.com. The problem I'm running into is that when I ftp into foo's account, and try to browse to the symlink, I get permissions denied. What would be the best way to go about setting foo's web folder access so that any newly	16:32
riz0n	created files will be accessible by Apache?	16:32
ddellav	coreycb i rebuilt on a yakkety-newton ppa and its still complaining about monasclient. In the spreadsheet james noted the latest build also has a depwait on it for his system as well	16:33
coreycb	ddellav, ah. ok. let me review and upload it to directly to the testing ppa for newton.	16:35
coreycb	ddellav, let me know when it's fixed up (--> 0ubuntu1)	16:36
ddellav	coreycb: ok, I'll fix that and repush.	16:37
ddellav	coreycb: ok it's fixed.	16:42
coreycb	ddellav, oslo.cache pushed/uploaded, thanks	17:14
coreycb	ddellav, heat's pushed and I manually kicked off a daily build for the newton combinations	17:21
jeeves_moss	what is the command to get a service to start at boot?	18:00
synchronet	check the man but usually default setting	18:03
genii	If you use the regular update-rc.d way, systemd will execute it the same way sysvinit would have previously	18:06
jeeves_moss	I tried the update-rd.c defaults path, and when I reboot, still nothing	18:07
genii	jeeves_moss: Old but still relevant Debian step-by-step: https://debian-administration.org/article/28/Making_scripts_run_at_boot_time_with_Debian	18:11
jeeves_moss	perfect, thanks. I'm going to need to do some self signed certs, and push this out.	18:12
riz0n	Hello: I am using Ubuntu 14.04. I have set up a web server where I have multiple users on system, each having their own sites.	18:19
riz0n	For example, user foo may have bar1.com and bar2.com as domains, so they would have /home/foo/bar1.com and /home/foo/bar2.com. We use VSFTPD to upload files to the server	18:20
riz0n	When I create directories, I create them with permissions of 775	18:20
riz0n	However, when files are uploaded, they are given permission of 600. What changes do I need to make in vsftpd to where permissions, by default, are 775?	18:21
synchronet	riz0n: if your using 14.04 make sure if your using proftpd to comment out the mod_copy.c in modules.conf	18:23
synchronet	or you will be hacked sooner or later	18:23
synchronet	Ubuntu dont care	18:24
riz0n	ok so let's try something else (because I don't wanna be hacked0	18:24
riz0n	Here's what I'm aiming for	18:25
sarnold	vsftpd should be fine	18:25
synchronet	if your using proftpd then yes, either comment that module out etc	18:25
riz0n	When individual users add files to their web directory, I want it to have the proper permission so that Apache doesn't throw up a 500 or 403	18:25
teward	riz0n: unless you have a lot of other controls in place, you shouldn't have web files running from a user's home directory	18:26
sarnold	synchronet: if you're going to use proftpd instead of vsftpd you should go through the list of open CVEs against it http://people.canonical.com/~ubuntu-security/cve/pkg/proftpd-dfsg.html	18:26
synchronet	sarnold: its a Virtualmin thing	18:26
synchronet	they use it	18:26
teward	hate my IRC client	18:26
synchronet	sarnold: I have moaned enough	18:27
synchronet	should be fixed	18:27
JanC	virtualmin...	18:27
riz0n	I did not have any of these problems until I upgraded to 14.04. But I was also giving people access to SSH. To eliminate that, I set their shell to /bin/false and they can use FTP (I do have encryption support in vsftpd)	18:28
synchronet	yeah you can find it on Google, nice virtual server software	18:28
sarnold	synchronet: yikes, if you're going to use virtualmin be sure you've got that firewalled to only your specific IP address	18:28
synchronet	VM is for webhosting	18:28
teward	riz0n: I would instead put user web docroots in /var/www/${USER}/public_html or similar, set up a symlink in the user's home directory to that, and set permissions such that you then execute the following on that directory: chown ${USER}:www-data /var/www/${USER}/; chmod 2750 /var/www/${USER}/	18:29
synchronet	yet the still use profpd etc	18:29
synchronet	proftpd	18:29
JanC	so, don't use webmin/virtualmin	18:29
teward	riz0n: that way, the web server can't traverse (unless it's not jailed or configured right) into user home directories, but the user can edit/create things and still the webserver will be able to access	18:29
synchronet	its a well know exploit	18:30
synchronet	known	18:30
synchronet	JanC: maybe not use Ubuntu 14.04?	18:30
synchronet	as you ship it	18:30
synchronet	took you ages to sort the headless server reboot problem in Grub	18:31
genii	!webmin	18:31
ubottu	webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system.	18:31
JanC	there is no proftpd in Ubuntu by default and no virtualmin in it at all	18:32
genii	..so there's that...	18:32
synchronet	that cannot be possible	18:32
synchronet	hangon, will ask	18:32
patdk-wk	!webmin	18:36
ubottu	webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system.	18:36
patdk-wk	oh, he already did that	18:36
synchronet	Webmin works quite well with Ubuntu and Debian. It's also considered a Grade A supported distro. Was the reply	18:37
synchronet	I said, Quire well?	18:38
synchronet	Quite	18:38
teward	synchronet: Webmin is not provided in the repositories	18:39
synchronet	Geez is Webmin and Virtualmin a second hand car dealer?	18:39
teward	synchronet: it does some oddities in it that make it incompatible with how the systems actually work under the hood	18:39
synchronet	teward: not trusted etc??	18:39
patdk-wk	oh, you can use them if you want	18:39
teward	synchronet: not trusted, doesn't work correctly alongside other utilities, botches configuration storage paths at times, etc.	18:39
teward	synchronet: you can install it if you want, but we don't support it here	18:39
patdk-wk	just if you do, NEVER update your system automatically	18:39
teward	synchronet: you also are going to have to NOT enable any automated updates	18:39
teward	because webmin doesn't work well with that	18:40
teward	there will be death	18:40
synchronet	works fine it appears but not have have Ubuntu endorsement?	18:40
teward	synchronet: let me talk as a security guy then:	18:40
synchronet	thats important	18:40
teward	if you run webmin, its going to open you to vulnerabilities	18:40
teward	many service scanners search for it, and hunt for exploitable paths as well	18:40
synchronet	everything as vunrabilties I get your up^dates daily	18:40
teward	and unless you are always on the latest of it, you will be opening yourself to hell	18:41
teward	synchronet: i mean in webmin	18:41
teward	NOT in the underlying software on Ubuntu	18:41
synchronet	sure	18:41
teward	you don't get security updates for webmin via Ubuntu	18:41
synchronet	ok	18:41
synchronet	you dont look after it	18:41
teward	and those security updates that happen automatically will need *turned off* if you use webmin	18:41
synchronet	I get it	18:41
teward	or you will break things	18:41
patdk-wk	I normally only see security updates every other week, or less	18:41
teward	it will break, and it will break things.	18:41
patdk-wk	but that is better than monthly rollouts for me atleast	18:42
teward	synchronet: as a server administrator, and a security guy, you can use webmin if you want, but we don't support it, we don't endorse it, we recommend NOT using it, and you will use it at your own risk	18:42
synchronet	teward: got ya	18:42
synchronet	will just relay that on	18:42
teward	to whom	18:42
teward	webmin?	18:42
teward	or your IT admins :p	18:42
synchronet	VM irc	18:42
teward	why are we playing relay tag again?	18:43
synchronet	its important	18:43
teward	again, why are we playing relay tag with a channel that isn't an Ubuntu channel?	18:44
synchronet	some of use are trying to make a secure living using Linux	18:44
synchronet	so	18:44
teward	learn the command line, where configuration files are, SSH connections, and the stuff that server administrators who actually get certified as such (like myself) have to learn.	18:44
synchronet	even so webmin etc say Ubuntu is a GRADE A OS you dont support it!	18:45
* teward grumbles		18:45
sarnold	yikes, if you're using webmin firewall the living hell out of -that- too	18:45
synchronet	what CP for webhoster do you recommend then?	18:45
teward	y'know what, I'm going to chalk all this up to "user and upstream stupidity", and going to do something actually productive, like clear the "TODO" items off my worklist for Yakkety...	18:45
darko0	Hey guys! I'm thinking of setting up a ubuntu server for webhosting on Linode and currently my main concern is security setup.. Could anyone point me in the right direction to set that up a guide/tool or whatever , thx for the help!	18:45
synchronet	np	18:45
sarnold	the most common causes of breakins are: (a) brute-forced ssh passwords (b) vulnerabilities in those terrible "control panel" programs	18:46
synchronet	noob here just trying to use the tools out there	18:46
synchronet	why dont Ubuntu do a web hosting CP?	18:46
synchronet	charge a few bucks	18:47
JanC	sarnold: well, and all sorts of web apps in general	18:47
sarnold	JanC: true, but something about control panels attracts the worst programming discipline :(	18:47
JanC	hehe	18:47
synchronet	Ubuntu server and the new Ubuntu web hosting CP, would sell no?	18:49
sarnold	it's kind of a niche market thse days... fifteen years ago, maybe	18:49
synchronet	who needs cpanel, direct admin, Virtualmin etc after	18:49
synchronet	food for thought	18:50
synchronet	niche market, using a linux server for webhosting??	18:50
sarnold	these days folks just roll out something on digital ocean or amazon s3 or whatever, it's cheap, they've got full control over their own site..	18:50
sarnold	two thousand users on a host is just not as common as it once way	18:51
JanC	there are a couple of CP that were designed to be used with Debian/Ubuntu, IIRC	18:51
teward	sarnold: s/way/was/	18:51
synchronet	talking about dedicated	18:51
synchronet	to be honest I dont think any of you really know what your doing	18:52
synchronet	and chasing after what suits your needs	18:52
Bae	sarnold, hello	18:52
sarnold	synchronet: all I'm saying is if you're going to use programs with such terrible security histories, _please_ take precautions.	18:52
teward	synchronet: if you don't think we know what we're doing, the exit is over there --->	18:52
sarnold	synchronet: confine your ftpd with apparmor..	18:52
teward	you are the one who came here with questions ;)	18:53
Bae	i came back to ask you question about apparmor if you do not mind. since you already know my specific config sorta. sarnold	18:53
sarnold	synchronet: confine your web control panels with firewalls	18:53
Bae	btw are you a developer?	18:53
Bae	of apparmor i mean	18:53
sarnold	hey Bae :) how you're doing today?	18:53
teward	Bae: sarnold's on the Security Team	18:53
Bae	hey sarnold im fine thx. how are you?	18:53
Bae	sick ass	18:53
sarnold	Bae: well, sort of. I don't actually write much code for it but I've been working on apparmor for ~16 years :)	18:53
Bae	dang	18:53
Bae	nice to have u here	18:53
patdk-wk	did apparmor nesting land for lxc?	18:54
patdk-wk	if so, I didn't figure it out :)	18:54
Bae	so my question is what is the purpose of logprof sarnold. according to this http://www.howtogeek.com/118328/how-to-create-apparmor-profiles-to-lock-down-programs-on-ubuntu/ it seems like you can create profiels from logs after running the profile normally in complain mode?	18:54
sarnold	patdk-wk: not et	18:54
patdk-wk	no wonder I couldn't get it working yet :)	18:55
sarnold	patdk-wk: john wrote some docs http://wiki.apparmor.net/index.php/AppArmorStacking#Using_Stacking_in_combination_with_Policy_Namespaces -- I haven't looked at them yet	18:55
sarnold	Bae: yeah aa-logprof can do that for programs that you've started running; if you're creating a profile from scratch you can use aa-genprof and it will automate the aa-logprof steps for you	18:56
Bae	sarnold, ah so my steps would be if i set complain mode on my nodejs program for example. and say the nodejs program starts up, accesses /home/user/directory1 and then accesses /home/user/directory2 then does some other network shit. this will all get logged. then if i tell apparmor to generate logs it will blacklist ALL other directories and ONLY whitelist those 2 directories and the networking shit? is that what it does?	18:57
sarnold	Bae: mostly. it'll ask you a question about every log entry. if some of your answers covers log entries it hasn't reached yet, it gets to skip those :)	18:58
Bae	sarnold, when will it ask me questions about log entries? when i do the aa-logprof command?	18:59
sarnold	Bae: yes	18:59
Bae	sarnold, so basically it will look at everything i've done when i perform every possible functionality of the app, then ask me is this ok? is that ok? and then if i say yes and no, it will generate a profile automatically for me and then i can run the enforce mode to enforce that profile so that every possible command of the nodejs app can be done. and anything outside of that will be blocked?	19:01
sarnold	Bae: right	19:01
Bae	damn thats really smart	19:01
sarnold	yes :)	19:02
patdk-wk	and then all is good, till you expand your node app	19:02
patdk-wk	and you can't figure out why you keep getting permission denied errors	19:02
patdk-wk	and forgot to look at dmesg	19:02
Bae	patdk-wk, if it came down to that i will edit the nodejs app, upload it to the server. delete the current node app profile. and then logprof again	19:03
patdk-wk	that would be really annoying	19:04
patdk-wk	just run it on the new entries it is printing, or add them manually	19:04
patdk-wk	then just append	19:04
Bae	maybe i will just do that yes patdk-wk	19:04
Bae	sarnold, how is the scope of this? if nodejs accesses a file say /home/user/directory/file.txt. is the apparmor generated profile going to blacklist everything else and ONLY whitelist /home/user/directory/file.txt in logprof ?	19:05
Bae	like what is the default way that app armor works? blacklist everything and whitelist a few things?	19:05
sarnold	Bae: it'll ask you what you want to do; you could answer "allow" and only that file will go in the whitelist. Or "glob" and /home/user/directory/* will be added. "glob ext" will add /home/user/directory/.txt. "glob ext glob ext" will give you /home/user/*.txt. And so on. :)	19:06
sarnold	Bae: exactly	19:06
sarnold	Bae: the 'deny' rules can subtract accesses but that's subject to the usual "blacklists aren't safe" reasoning.	19:07
Bae	yeah i dont like that deny shit tbth	19:07
Bae	i like blocking to everything EXCEPT the things i need	19:07
sarnold	exactly	19:07
sarnold	it's sometimes useful	19:08
sarnold	and apparmor also allows you to use the 'deny' keyword to silence the logging when you know something is doing something stupid	19:08
sarnold	for example, everything linked with kerberos tries to write to /etc/keytab.something as part of startup -- the intention is that they fail if they can write to it	19:08
sarnold	.. but _every_ _program_ doing this is annoying :) so add the 'deny' rule to the profile and apparmor will be silent about those.	19:09
Bae	sarnold, question. if nodejs app calls another binary in the bin folder and apparmor profile contain catches that, can i tell apparmor to put the other binary as an "ix" mode in the nodejs app profile ???	19:10
Bae	profile complain*	19:11
Bae	as in is there way to send the "ix" command from the logprof method ?	19:11
Bae	or do i have to generate the logs, then open the profile file then manually add ix where need be?	19:11
Bae	tbh any other binary the nodejs app calls i will probably do ix just to make sure those bins can only access the file directories that my nodejs app can access	19:11
patdk-wk	I whitelist stuff	19:12
patdk-wk	but I also blacklist stuff, to keep down log noise	19:12
patdk-wk	like things the app does, that I don't want to work :)	19:12
sarnold	Bae: yes, logprof will let you pick between px, ix, cx, ux, as appropriate :) it also makes it hard to e.g. pick 'px' for /bin/grep, etc., because that'd wreck your day.. :)	19:13
patdk-wk	ux all the stuffs	19:13
* sarnold kicks patdk-wk		19:13
Bae	wow are u a hacker	19:14
patdk-wk	hmm /usr/bin/* ixr,	19:14
patdk-wk	looks like that is what I'm mainly using is ixr	19:15
Bae	man this apparmor shit is cool af	19:15
sarnold	patdk-wk: oh yeah that's fine :)	19:15
patdk-wk	fun php one, owner @{WWW_DIRS}/phpsessions/?/?/* rwk	19:15
patdk-wk	had to use, to make sendmail work, owner /var/spool/mqueue-client/* rwk	19:17
patdk-wk	run this app in total confinement	19:18
Bae	sarnold, does apparmor by default blacklist all things and whitelist certain things (as described in complain mode) ?	19:22
patdk-wk	define default?	19:22
patdk-wk	if you setup an empty profile, it will audit deny everything	19:22
patdk-wk	depending on how you switch into it	19:23
Bae	patdk-wk, yeah say i put something in aa-complain mode. then ran it. then generated with logprof. at this moment in time, is apparmor going to generate an profile with everything blacklisted BUT my specifications whitelisted?	19:23
patdk-wk	depends, it will make that profile, yes	19:24
sarnold	Bae: yes; try this: cp /bin/bash /tmp ; echo "/tmp/bash { /tmp/bash rix, /bin/* rix, /usr/bin/* rix, }" \| apparmor_parser --reload and then run /tmp/bash, see what happens ;)	19:24
patdk-wk	but I'm not sure if it will override the calling or not	19:24
Bae	oh i see	19:24
Bae	damn	19:24
sarnold	Bae: start with somethin gnice and small and see what happens :)	19:24
patdk-wk	can't remember how the calling works, for switching, maintaining and adding, ...	19:24
patdk-wk	as I always use, swapping :)	19:25
patdk-wk	changehat :)	19:25
Bae	ok thanks guys. it answers all my questions this has been great :)	19:25
patdk-wk	what those ux, ix, px, ... mean	19:25
Bae	heh. all i know is i like ix most	19:26
Bae	probably ixr. yep	19:26
patdk-wk	ix if I remember right is, include restrictions and execute	19:26
Bae	inherit	19:26
sarnold	"inherit"	19:26
patdk-wk	close enough :)	19:26
Bae	yeh pal	19:26
sarnold	"unconfined"	19:27
sarnold	"profile exists"	19:27
patdk-wk	hmm, kindof like wrapping your program into one of these? http://www.ostrichpillow.com/	19:32
Bae	lol	19:33
Datz	sarnold: Thanks for the advice yesterday with my DNS resolving issue (adding nameserver 8.8.8.8) to /etc/resolv.conf. A little to add to that. I had configured the machine for a static address in /etc/network/interfaces which seems to be defined correctly. Today I checked /etc/resolv.conf after ping failed to resolve DNS, or course it was overwritten. So I started checking in /etc/resolvconf/resolv.conf.d/ as you suggested	21:36
Datz	Hopefully that wasn't cut off^	21:37
Datz	That loong post is really directed at anyone.	21:38
sarnold	Datz: the last thing that went through was "as you suggested"	21:39
Datz	as you suggested yesterday to have it added automatically. I noticed in /etc/resolvconf/resolv.conf.d/original there's a nameserver for the wrong gateway, the one for where I set the machine up instead of the one for the current location. This seems like a bug?	21:40
Datz	I edited it for the gateway where it currently is, but it really seems like it should reidentify and be overwritten	21:42
Datz	There could also be something wrong with my gateway/router	21:42
sarnold	Datz: I think the "original" file is just one that resolvconf stuffs away in case you need it	21:47
Datz	Ah, I see.	21:48
Datz	Looks like everything else in /etc/resolvconf/resolv.conf.d/ is basically empty	21:49
sarnold	Datz: yeah; the 'head' gets prepended to the /etc/resolv.conf that it generates	21:50
Datz	ah, interesting, so I could define a nameserver there?	21:51
teward	Datz: yes, you could	21:51
Datz	Neat, I bet there's docs on it(i hope) I'll have a look. THanks	21:52
teward	in fact, this is what I do on my local Ubuntu 14.04 laptop, which runs its own bind9 resolver, because I have a lot of different DNS rules	21:52
teward	there isn't, really	21:52
Datz	ok, I can just add "nameserver 8.8.8.8" then?	21:52
teward	basically, under the two commented out lines (with # at the beginning), put this: nameserver 127.0.2.1	21:52
teward	replace 127.0.2.1 accordingly	21:52
Datz	ah, gotcha, thanks	21:52
Datz	I can add one for redundancy also in the same format I suspect.	21:53
sarnold	since "unreachable nameserver" takes an absolute eternity, you'll probably want to just fix whatever unreliability is in a nameserver :)	21:53
sarnold	it's like six seconds or something outright intolerable	21:54
Datz	ha	21:54
Datz	head also warns that changes will be overwritten	21:55
JanC	there is documentation in /usr/share/doc/resolvconf/README.gz	21:55
sarnold	yes, that's how the warning makes it into /etc/resolv.conf :)	21:55
Datz	ah	21:55
Datz	heh heh	21:55
Datz	On a completley unrelated note, I thought that ZFS was now the default FS in 16.04, but it looks like I'm on ext4.	21:56
sarnold	seriously though you can reach the other side of the planet in about 250 ms or so. four trips around the world, one second, yeah alright..	21:56
skylite	which one is faster NFS or samba? I cant see clear answers to that anywhere	21:56
JanC	ext4 is default, ZFS is available	21:56
sarnold	I guess six seconds is long enough that it's so terrible you actually go investigate -why- it's broken	21:56
bekks	skylite: NFS has a smaller protocol overhead.	21:57
sarnold	if it was one second you might not bother, or just think something else is broken..	21:57
Datz	JanC: Ok thanks.	21:57
sarnold	Datz: zfs on root currently takes some work	21:59
sarnold	it's possible but I decided for myself that it was too much effort	21:59
JanC	once we've colonized Mars we'll have to increase that 6 sec though :)	21:59
Datz	sarnold: gotcha. I hadn't looked into it, I just noticed that's what was mentioned in ol reliable Wikipedia.	22:00
sarnold	JanC: mars will doubtless run their own recursors :)	22:00
sarnold	Datz: zfs is awesome stuff; here's a nice series of blog posts https://pthree.org/2012/12/04/zfs-administration-part-i-vdevs/	22:01
Datz	Cool, I'll take a look.	22:01
=== ianorlin is now known as lynorina
=== lynorina is now known as lynornian
=== nacc is now known as Guest64822
=== nacc_ is now known as nacc
=== JanC is now known as Guest59129
=== JanC_ is now known as JanC

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!