HappySomethingSoWhat changed in regards to setting up  a static ip on 16 vs 24?00:00
HappySomethingSovs 14*00:00
sarnold"no longer works", what fails?00:00
HappySomethingSoit doesn't set the assigned ip00:00
HappySomethingSosarnold:  this is what my image came with: http://pasted.co/212f34e700:02
HappySomethingSoI do not recognize the last line from ubuntu 1400:02
HappySomethingSosarnold: I have a feeling the problem's there00:02
sarnoldHappySomethingSo: what is your interface named? 'ip link' should show you the name; add your configuration to the file, then try to bring it up with ifup <interfacename>00:04
HappySomethingSosarnold:  in /etc/network/interfaces.d I have a file named 50-cloud-init.cfg with this in it: http://pasted.co/e213548b00:04
sarnoldHappySomethingSo: aha, does that match your interfacename?00:04
sarnoldHappySomethingSo: do you want it to use dhcp?00:04
geniisarnold: Any .cfg files he makes in interfaces.d get wiped out next boot, any changes he makes to the existing file there also get reverted00:05
HappySomethingSosarnold: yes, eth0 is now  enxb827eb7c6bae apparently. I ant to use a static ip00:05
HappySomethingSonot dhcp00:05
geniisarnold: ( we were just going through this issue in #ubuntu and I referred him here for more specific help )00:06
sarnoldhey genii :)00:06
* genii waves00:07
sarnoldHappySomethingSo: are you using cloud-init intentionally? if not maybe the easy answer is uninstalling it00:08
HappySomethingSosarnold: it's a fresh image, I haven't touched anything00:09
HappySomethingSowhat exactly is cloud-init?00:09
sarnoldcloud-init makes it easy to fire up VM images (or actual hardware, in the case of MAAS) and have them "autodiscover" their configuration: networking, package repositories, new users, packages to add, etc. I find it a bit underdocumented but they have some nice examples up that give the flavor of what it does: http://cloudinit.readthedocs.io/en/latest/topics/examples.html00:10
HappySomethingSosarnold: I see, well if it came preinstalled I'd rather not meddle with it00:11
HappySomethingSoI think I've got it00:11
TJ-that explains it, "50-cloud-init.cfg" is created by cloud-init, so of course it'll get overwritten00:11
sarnoldHappySomethingSo: interesting, this feels like it might also interact poorly with this bug https://bugs.launchpad.net/cloud-init/+bug/1571004 -- but I'm not 100% sure ..00:12
ubottuLaunchpad bug 1571004 in cloud-init "apply networking only on first instance boot" [Medium,In progress]00:12
geniiNow that my curiosity is sated, I'm off to watch hockey00:12
HappySomethingSosarnold: genii: TJ-: I managed to get the static ip working, I edited /etc/network/interfaces like usual but used the new interface name instead of eth0 (which is werid because it was called eth0 on the 50-cloud-init file until I rebooted it a couple of times)00:13
sarnoldHappySomethingSo: and it sticks across reboots?00:14
HappySomethingSosarnold:  I've rebooted it twice more and it seems like it's staying on the desired ip00:14
HappySomethingSoso it was a problem with the interface names00:14
HappySomethingSothank all of you for your help00:15
sarnoldHappySomethingSo: excellent, I'm glad that was sufficient. :) like I said, I find cloud-init underdocumented, so I feared trying to find the fix if something simple didn't do it. :)00:15
HappySomethingSoI was quite lost00:15
sarnoldthere's Good Reasons for these new interface names but it's going to take me another twenty years or something to get used to them.00:15
HappySomethingSosarnold: yeah, I thought something had gone wrong and that it was an error when I first saw the new name00:16
sarnoldunderstandable :)00:18
DatzHi, I'm having trouble network troubles with my install of 16.04. I can't install packages, and I can't ping outside servers. I'm currently logged in remotely though. I think there is some sort of DNS trouble. Any ideas?02:08
sarnoldcan you ping by ip address? try e.g. ping
DatzThis is what I'm getting trying to install a package : http://hastebin.com/iwozasesig.vhdl02:11
Datzsarnold: yes, I can02:12
sarnoldDatz: alright, cat /etc/resolv.conf -- that should list some nameservers. ping each one in turn..02:12
Datzsarnold: resolv.conf appears to be two commented lines long02:14
OerHeksDatz, on 16.04?02:14
OerHeksthen you suffer this bug, https://bugs.launchpad.net/ubuntu/+source/appstream/+bug/157971202:14
ubottuLaunchpad bug 1579712 in appstream (Ubuntu Xenial) "Refresh hangs due to strdup on non-NULL terminated string" [Medium,Fix committed]02:14
Datzthink so.. just installed today02:14
OerHekslot of heat.. remove it, and you'll be fine, patch is in proposed02:15
sarnoldOerHeks: .. how does that bug lead to busted dns?02:15
OerHeksyou don't need that appstream , it is optional02:15
Datzso run sudo appstreamcli refresh --force ?02:15
OerHekssarnold, not sure how, but removal fixed it for a lot of users in #ubuntu02:15
sarnoldOerHeks: ouch :/02:15
OerHeksi know, ugly fix ..02:16
sarnoldDatz: well, lets try OerHeks's suggested fix :) apt-get purge appstream02:16
Datzok, will do02:16
sarnoldOerHeks: did they need to do anything else along the way? re-poke apt in the eye or reboot or something else?02:17
OerHeksehm, good point. after removal, i would (try) to rerun apt update02:18
Datzpurged.. still not resolving.02:18
JanCactually, the package in -proposed doesn't fix that bug  :)02:18
OerHeks#30 john wang - The reason I warned against removing the binary is because it's a bad practice in general, even though in this particular problem scenario the removed binary gets restored when its package is upgrade02:19
JanCor, wait, maybe it's because it tried to install appstream before libappstream or something02:20
JanCright, that was it02:23
DatzSo, is there a workaround or fix, or am I holding tight for now?02:23
sarnoldOerHeks: I think that was specific to the "rm /usr/bin/appstream*" advice or whatever it was02:24
JanCDatz seems to have a DNS issue02:25
sarnoldDatz: well, as a half-ass solution you could try adding "nameserver" to your /etc/resolv.conf by hand; that'll use google's public resolver02:25
sarnoldJanC: OerHeks said the appstream screwup broke a bunch of people's dns. it seemed worth trying.02:25
DatzI like the sound of htat02:26
DatzI think I've had to do this before actually. Maybe something with my network instead.02:26
sarnoldif you've got a dhcp server that hands out leases without giving you dns server info that might be able to do it02:27
sarnoldbut tbh since I never see that situation that's a wild guess02:27
OerHeksmore info now on the bug page02:28
ubottuLaunchpad bug 1579712 in appstream (Ubuntu Xenial) "Refresh hangs due to strdup on non-NULL terminated string" [Medium,Fix committed]02:28
Datzsarnold: I'm not sure if that's the case or not. Adding that nameserver does seem to fix the problem though.02:28
DatzWill that nameserver be overwritten as stated in the comments of resolv.conf ?02:29
DatzAlso, I guess I can add back appstream?02:30
sarnoldDatz: meh, as far as I can tell appstream just downloads 8 megabytes of icons incase you want to browse gnome-software-center or something like that. If you're in here asking for help you'll probably never notice it's gone. ;)02:30
DatzAh, yes.. no gui.. ok guess I don't need it. Surprised it was added with the netinstall.02:31
sarnoldDatz: it's possible that the file will be re-written to be useless. if that keeps happening you can either uninstall the resolvconf package or you can figure out the /etc/resolvconf/resolv.conf.d/  files to re-add this..02:32
Datzsarnold: great I'll make a note, and try and do this. Thanks.02:33
sarnoldDatz: note that there's half-billion people in the world using the google dns recursor -- while there's some safety in numbers, it feelsl ike I ought to let you know that that -is- a step outside of whatever the machines next to you might be doing02:33
sarnoldDatz: so e.g. local hostnames may not resolve correctly, or a local cache may do a better job for you. (or google's might be faster. most ISPs suck at running DNS so many people do get better results with google...)02:34
DatzIn the past I've added google's DNS servers without every really thinking about it. Maybe my isp is better ,I don't know :)02:36
DatzI assume I can add some redundancy..02:39
sarnoldfunny thing with dns, redundancy isn't always better -- finding one server that works is way better02:41
sarnoldand dns is super strange, the recursors get far better the more traffic they have02:41
sarnoldif they have all data already cached because someone else asked for a second ago, you'll get a muchf sater response..02:41
sarnoldone hot recursor is almost always better than two cool recursors02:42
sarnoldin stark contrast against e.g. web servers where multiple cool servers are usually better than one hot server :)02:42
JanCit depends on how hot, of course02:44
JanCwebservers use lots of caching too (filesystem cache, database table/query cache, memcached, etc.)02:45
sarnoldyeah, if you can get webserver ram served stuff, that's best :)02:46
patdk-lapsarnold, depends :)02:50
sarnoldpatdk-lap: just buy more ram of course! :)02:50
patdk-lapcaching helps, but not tuning the recursor properly and giving it too much ram02:50
patdk-lapcan cause it to get slow as crap02:50
patdk-lapya, but unlike most things, dns is one huge hash table lookup, can cause all kinds of issues when it gets large02:51
patdk-lapyou talking normally about caching 200bytes or so maybe 1k per entry :)02:51
patdk-laphot webservers are good, just not *hot* cgi/fcgi/... servers :)02:52
* patdk-lap can't imagine what it would take to run 10k r/s wordpress site, without static caching02:53
sarnoldbut 10qps dns recursor ought to be standard desktop thing :)02:54
patdk-lap10qps dns is less than a web browser does :)02:55
sarnoldof course i meant 10kqps :)02:56
sarnold10qps .. well, tandy 1000 :)02:56
JanCtandy 1000 would have zero memory left for caching probably  :P02:57
patdk-lapsarnold, dunno02:58
patdk-lapmy large dns installs, are only doing 1kqps recursive, and 300qps authorative02:58
patdk-lapusing two primary large recursives, and tiny ones on the smtp servers02:59
AndyWojothe link to hp moonshot on the arm server page is broken btw03:51
AndyWojohttp://www.ubuntu.com/download/server/arm down at the bottom03:51
AtuMHi. I am having some trouble starting nfs-kernel-server as rpcbind starts after the nfs service. any thoughts? I see that nfs service is started by init script while rpcbind is already converted to systemd unit06:39
AtuMI've found bug #1558196 .. but the solution provided makes no difference06:41
ubottubug 1558196 in rpcbind (Ubuntu) "ypbind not able to socket activate rpcbind under systemd, fails at boot unless something else starts rpcbind" [Undecided,Triaged] https://launchpad.net/bugs/155819606:41
halvorsAnyone knows if the "lo" interface is added by the kernel in Ubuntu?07:01
halvorsEven after emptying the "/etc/network/interfaces" file it is added.07:01
AtuMhalvors, lo is added by networking service or network-manager07:02
AtuMhaving lo is essential to many services running on linux07:02
halvorsYeah, the thing is that i want to disable the "network" service in favor of "systemd-networkd"07:04
AtuMhalvors, having "lo" does not impact you then.. either way you will need it.07:05
AtuMit might be brought on by systemd.. i have not checked that yet..07:06
halvorsAtuM: Yeah i know,  just wondering if it's added by ifupdown or systemd :)07:07
halvorsNot going to remove it.07:07
halvorsAtuM: Do you know how to disable ifupdown?07:07
AtuMhalvors.. check /etc/init/network-interface.conf.. there are some definitions there..07:07
AtuMsystemd still needs configuration files to do anything07:08
halvorsYeah i know.07:08
AtuMin the mentioned conf file it is stated for "lo" : # bring this up even if /etc/network/interfaces is broken07:09
AtuMso there you have it07:09
AtuMhalvors, no, i've never tried to disable ifupdown.07:11
halvorsAh ok, thanks :)07:12
AtuMhow would i tell systemd to start rpcbind before nfs-kernel-server ? I'm doing a workaround by restarting both services inside rc.local, but i really do not like doing things this way07:13
sobersabrehi, I managed to configure my ubuntu server as a member to active directory. I have ids problem.08:05
sobersabreI also ran ldapsearch and it seems there's some kind of pre-defined list of attributes used by ldapsearch08:05
sobersabreI'm noticing the attributes I want to be mapped in /etc/ldap.conf are not listed in the LDIF query result.08:06
AtuMubuntu's defaults are not made for microsoft ad. you might need to adjust those attributes08:10
Walexsobersabre: schemas...08:35
davethenoobhey yall10:12
davethenoobI have a vpn question if i may?10:13
davethenoobi have tried setting up openvpn on my raspberry pi and moved client key to phone and used openvpn client on android phone, but the connection just stays at 'waiting server response'10:19
davethenoobAfter trying many times various openvpn guides, i have decided to go back to using pptp, which i have set up before10:19
davethenoobis there a way a making pptp a bit more secure? Limiting to a specific device to connect from etc?10:20
davethenoobnot completely ubuntu-server, but i am trying to connect to my network to get access to my owncloud/subsonic, which is on ubuntu server10:20
davethenoobthank you in advance10:20
rbasakI wouldn't trust pptp. I'd focus on making openvpn work.10:21
rbasakIt might be worth running tcpdump on the server to see if two way traffic is getting through.10:22
TJ-davethenoob: first thing on the server-side is consult and watch the logs, having enabled additional verbose debug log messages10:23
fricklerjamespage: chown -R root:neutron /etc/neutron/ in neutron-common.postinst breaks our deployment, was this added recently?10:27
davethenoobhmm okay10:28
davethenoobill give it another go10:28
jamespagefrickler, not changed for a long time...10:28
jamespageDate:   Thu Apr 30 15:29:57 2015 +020010:29
jamespagewas the last touch on that file - and tbh that was the creation of the git repo its in...10:29
davethenoobhow does tcp dump work? Do run it and then connect from phone client?10:29
fricklerjamespage: ok, well, nevermind then, nothing that a decent chef-client run couldn't fix ;)10:30
davethenoobcan anybody recommend a good step by step guide for installing openvpn on raspberry pi? Ive tried a couple and one video guide.10:30
robb_nltry #raspberrypi or #openvpn10:31
TJ-davethenoob: "apt-get install openvpn" and add a config in /etc/openvpn/server/ I think it is10:38
jamespagecoreycb, added ironic, trove and nova-lxd to CI; ironic does not like xenial; nova-lxd foobar on newton generally12:08
coreycbjamespage, ok12:09
coreycbjamespage, we were 100% success at one point yesterday12:09
jamespagecoreycb, yup12:10
=== Guest24582 is now known as devil_
jamespagecoreycb, ddellav: horizon bugs could do with some love. https://bugs.launchpad.net/ubuntu/+source/horizon/12:34
coreycbjamespage, I'll take a look12:35
PMunchHi, I'm having a little trouble after I updated from 14.04 to 16.0412:40
PMunchThe problem I'm having is that suddenly none of my git repositories are working12:40
PMunchhttp://pastebin.com/TLCBYxPA that's the error I'm getting when I'm trying to pull a repo.12:42
=== chuck__ is now known as zul
Sagarudo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied13:44
Sagarubuntu xenial 16.0613:45
Sagarwhat can be the issue?13:45
RoyK16.04, perhaps13:45
RoyKbut what is org.freedesktop doing on a server?13:45
* RoyK find systemd confusing13:47
TJ-its the Dbus path to the IPC damon13:48
Sagaris it?13:48
TJ-the path is the freedesktop specificied path13:49
TJ-Sagar: as I asked in #ubuntu, did the system boot using Upstart? in which case that error would make sense13:49
Sagaridk how can i check that?13:49
TJ-possibly "cat /proc/cmdline" will have an 'upstart' or something on the line13:49
Sagar cat /proc/cmdline => BOOT_IMAGE=/boot/vmlinuz-4.4.0-22-generic root=/dev/md1 ro rootdelay=10 net.ifnames=013:50
TJ-"permission denied" ... have you modified the sudoers entries at all?13:50
TJ-Sagar: so you shot yourself in the foot?13:51
Sagari am root13:51
Sagarthis is my /etc/sudoers13:52
TJ-you're root but calling it with sudo?13:53
TJ-how about just "systemctl status apache2.service ?13:53
SagarFailed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied13:53
Sagarstill the same13:53
Sagaris it policy kit?13:54
TJ-The error is coming via Dbus13:55
Sagarthen what should i do?13:56
TJ-Sagar: well first I'd return to a vanilla sudoers to determine if those changes are responsible or not (generally its' better not to edit /etc/sudoers but add an additional file with e.g. "visudo -f /etc/sudoers.d/my_admins "14:00
TJ-Sagar: I'd also do a reboot in case this is a one-off14:00
Sagarrebooted already14:01
Sagari just removed php from my server14:02
Sagarafter that iam getting these issues14:02
TJ-Did something else get removed too? check the /var/log/apt/history.log and /var/log/apt/term.log in case14:03
jamespagecoreycb, 12 packages togo until 1000 uploads...14:11
coreycbjamespage, ha!  where do you see that?14:12
jamespagecoreycb, https://launchpad.net/~james-page/+uploaded-packages14:12
coreycbjamespage, that's got to get a karma bonus :)14:13
jamespageI'm waiting for achievement unlocked to resound across my office.. :-)14:13
geniisarnold: So, did HappySomethingSo's issue last night end up to be cloud-init, in the end?14:13
coreycbjamespage, lol14:14
coreycbjamespage, I'm fixing cinder for newton14:26
jamespagecoreycb, microversion-parse is in unstable; I missed two copyright holders for monascaclient - sorting that now14:26
coreycbjamespage, ok14:26
coreycbddellav, I see you signed up for glance in the spreadsheet.  it's building ok so I think we can hold off until the next breakage.14:28
coreycbddellav, did you do some work on oslo.cache?  I see you have it marked as done14:30
coreycbddellav, let me know if you need a sponsor14:30
halvorsI have a router running linux and a problem with a TCP connection that comes in another interface than it went out is being dropped somehow. This is IPv6, does the kernel do any reverse path filtering?14:46
ezicialAhoy all, I'm looking for help / advice on setting up an IRC server on a dedicated Ubuntu server, the purpose of which is to create a web based IRC chatroom on a website.14:54
Slingezicial: it's probably much easier to use an existing irc network to create a channel14:54
Slingunless you have good reasons not to use one14:54
ezicialSling: nope no good reason, we just have the dedicated server so thought why not, it could be interesting...14:55
Slingezicial: having a communication channel on another server is especially useful if you want your community to still be able to reach each other when the server is down :)14:56
naccthere is also webchat.freenode.net already14:56
ezicialAlso I have no idea what the rules are with regards to freenode, etc.'s policy on creating chatrooms for a particular site. In this case an internet radio station.14:58
ezicialDon't want to step on any toes if it can be avoided.14:58
Piciezicial: #freenode can help explain14:58
ezicialOut of interest sake though, is there any reason not to create our own IRC server other than possible down time (which doesn't really apply since the website is hosted on the same server anyway)?15:01
Sagari am getting this error15:01
Sagarroot@wolf:~# sudo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied15:01
ddellavcoreycb ok i'll hold off on glance and yes, oslo.cache is ready, i'll push the repo and send you the link for sponsor directly15:01
Sagarwhat could be wrong?15:01
coreycbddellav, ok.  feel free to grab broken packages to work on that have a red dot on the ci dashboard.  we're at a point now where most everything is successful and we can spend a little time each day on daily maintenance.15:04
coreycbddellav, how's heat?15:04
ddellavcoreycb ok, i'll keep an eye on the dashboard. Heat is done. It seemed to create the config properly the way I had it but I updated it with your suggestions. I'll re-push in a minute15:06
coreycbddellav, jamespage: I pushed a new version of cinder for newton, that should fixup today's failure15:08
maswanezicial: no, not particularly, but irc servers are not very widely used as packaged, so you might find some rough corners as you try to set it up15:10
ezicialmaswan: yep, already seeing some of those rough corners...15:13
Sagari am getting this error root@wolf:~# sudo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied15:27
ddellavcoreycb lp:~ddellav/ubuntu/+source/oslo.cache ready to go, heat is having build failures after i changed d/rules, looking at them now15:54
Sagaranyone who could tell me why i am getting permission denied issue on root@wolf:~# systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied16:07
ddellavcoreycb i think what happened with heat was because i moved my changes to the master branch and there are dependency issues: https://launchpad.net/~ddellav/+archive/ubuntu/xenial-newton/+build/977875816:15
coreycbddellav, did you bump those requiremetns up?16:16
ddellavcoreycb i did not touch d/control at all. Only change I made was to d/rules16:16
coreycbddellav, that's odd. send me a link to your package.16:17
ddellavcoreycb however jamespage did have an unreleased version bump in the repo that my changes attached to16:17
coreycbddellav, that's probably just daily ci fixes16:17
ddellavcoreycb lp:~ddellav/ubuntu/+source/heat16:18
coreycbddellav, fwiw heat is building ok. 4 successes today.16:18
coreycbon the daily build ^16:18
coreycbddellav, you'll need to build that with the daily snapshot, so use the daily snapshot process16:20
coreycbddellav, also leave the version as 0ubuntu116:21
coreycbddellav, wait...16:21
coreycbddellav, nevermind, yes do that and we won't upload the fix until b116:21
ddellavcoreycb remind me what is the daily snapshot process? Is that the pastebin james posted about core releases?16:22
coreycbddellav, oh and the depwait you're getting is because you're building it in a xenial ppa16:22
coreycbddellav, yes16:22
ddellavok, i'll use yakkety16:22
Sagar service apache2 start doesn't show any output, i am on ubuntu 16.04 xenial16:23
mpjettadoes anyone know if the 70-persistent-net.rules udev interface tricks should work in 16.04 ? I have a server that can’t decide if the NIC is rename3 or rename5 ;(16:28
Sagar service apache2 start doesn't show any output like it used to starting/running .... apache2 [ok], i am on ubuntu 16.04 xenial16:32
riz0nHello -  I have an Ubuntu 14.04 LTS web server and I am trying to make some changes to its behavior. Currently, I have each user's web page within their home folder (for example, www.foo.com would be /home/foo/www). The problem I'm running into is that each time a file is added, permissions have to be re-set to allow that file to be accessible by Apache. I am trying to eliminate that.16:32
riz0nWhat I was thinking was create /var/www/foo.com and give the user mike and group foo permission to this, then create a symlink from /home/foo/foo.com to /usr/var/foo.com. The problem I'm running into is that when I ftp into foo's account, and try to browse to the symlink, I get permissions denied. What would be the best way to go about setting foo's web folder access so that any newly16:32
riz0ncreated files will be accessible by Apache?16:32
ddellavcoreycb i rebuilt on a yakkety-newton ppa and its still complaining about monasclient. In the spreadsheet james noted the latest build also has a depwait on it for his system as well16:33
coreycbddellav, ah. ok.  let me review and upload it to directly to the testing ppa for newton.16:35
coreycbddellav, let me know when it's fixed up (--> 0ubuntu1)16:36
ddellavcoreycb: ok, I'll fix that and repush.16:37
ddellavcoreycb: ok it's fixed.16:42
coreycbddellav, oslo.cache pushed/uploaded, thanks17:14
coreycbddellav, heat's pushed and I manually kicked off a daily build for the newton combinations17:21
jeeves_mosswhat is the command to get a service to start at boot?18:00
synchronetcheck the man but usually default setting18:03
geniiIf you use the regular update-rc.d way, systemd will execute it the same way sysvinit would have previously18:06
jeeves_mossI tried the update-rd.c defaults path, and when I reboot, still nothing18:07
geniijeeves_moss: Old but still relevant Debian step-by-step: https://debian-administration.org/article/28/Making_scripts_run_at_boot_time_with_Debian18:11
jeeves_mossperfect, thanks.  I'm going to need to do some self signed certs, and push this out.18:12
riz0nHello: I am using Ubuntu 14.04. I have set up a web server where I have multiple users on system, each having their own sites.18:19
riz0nFor example, user foo may have bar1.com and bar2.com as domains, so they would have /home/foo/bar1.com and /home/foo/bar2.com. We use VSFTPD to upload files to the server18:20
riz0nWhen I create directories, I create them with permissions of 77518:20
riz0nHowever, when files are uploaded, they are given permission of 600. What changes do I need to make in vsftpd to where permissions, by default, are 775?18:21
synchronetriz0n:  if your using 14.04 make sure if your using proftpd to comment out the mod_copy.c in modules.conf18:23
synchronetor you will be hacked sooner or later18:23
synchronetUbuntu dont care18:24
riz0nok so let's try something else (because I don't wanna be hacked018:24
riz0nHere's what I'm aiming for18:25
sarnoldvsftpd should be fine18:25
synchronetif your using proftpd then yes, either comment that module out etc18:25
riz0nWhen individual users add files to their web directory, I want it to have the proper permission so that Apache doesn't throw up a 500 or 40318:25
tewardriz0n: unless you have a lot of other controls in place, you shouldn't have web files running from a user's home directory18:26
sarnoldsynchronet: if you're going to use proftpd instead of vsftpd you should go through the list of open CVEs against it http://people.canonical.com/~ubuntu-security/cve/pkg/proftpd-dfsg.html18:26
synchronetsarnold: its a Virtualmin thing18:26
synchronetthey use it18:26
tewardhate my IRC client18:26
synchronetsarnold:  I have moaned enough18:27
synchronetshould be fixed18:27
riz0nI did not have any of these problems until I upgraded to 14.04. But I was also giving people access to SSH. To eliminate that, I set their shell to /bin/false and they can use FTP (I do have encryption support in vsftpd)18:28
synchronetyeah you can find it on Google, nice virtual server software18:28
sarnoldsynchronet: yikes, if you're going to use virtualmin be sure you've got that firewalled to only your specific IP address18:28
synchronetVM is for webhosting18:28
tewardriz0n: I would instead put user web docroots in /var/www/${USER}/public_html or similar, set up a symlink in the user's home directory to that, and set permissions such that you then execute the following on that directory: chown ${USER}:www-data /var/www/${USER}/; chmod 2750 /var/www/${USER}/18:29
synchronetyet the still use profpd etc18:29
JanCso, don't use webmin/virtualmin18:29
tewardriz0n: that way, the web server can't traverse (unless it's not jailed or configured right) into user home directories, but the user can edit/create things and still the webserver will be able to access18:29
synchronetits a well know exploit18:30
synchronetJanC:  maybe not use Ubuntu 14.04?18:30
synchronetas you ship it18:30
synchronettook you ages to sort the headless server reboot problem in Grub18:31
ubottuwebmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system.18:31
JanCthere is no proftpd in Ubuntu by default and no virtualmin in it at all18:32
genii..so there's that...18:32
synchronetthat cannot be possible18:32
synchronethangon, will ask18:32
ubottuwebmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system.18:36
patdk-wkoh, he already did that18:36
synchronet Webmin works quite well with Ubuntu and Debian. It's also considered a Grade A supported distro. Was the reply18:37
synchronetI said, Quire well?18:38
tewardsynchronet: Webmin is not provided in the repositories18:39
synchronetGeez is Webmin and Virtualmin a second hand car dealer?18:39
tewardsynchronet: it does some oddities in it that make it incompatible with how the systems actually work under the hood18:39
synchronetteward: not trusted etc??18:39
patdk-wkoh, you can use them if you want18:39
tewardsynchronet: not trusted, doesn't work correctly alongside other utilities, botches configuration storage paths at times, etc.18:39
tewardsynchronet: you can install it if you want, but we don't support it here18:39
patdk-wkjust if you do, NEVER update your system automatically18:39
tewardsynchronet: you also are going to have to NOT enable any automated updates18:39
tewardbecause webmin doesn't work well with that18:40
tewardthere will be death18:40
synchronetworks fine it appears but not have have Ubuntu endorsement?18:40
tewardsynchronet: let me talk as a security guy then:18:40
synchronetthats important18:40
tewardif you run webmin, its going to open you to vulnerabilities18:40
tewardmany service scanners search for it, and hunt for exploitable paths as well18:40
synchroneteverything as vunrabilties I get your up^dates daily18:40
tewardand unless you are always on the latest of it, you will be opening yourself to hell18:41
tewardsynchronet: i mean in webmin18:41
tewardNOT in the underlying software on Ubuntu18:41
tewardyou don't get security updates for webmin via Ubuntu18:41
synchronetyou dont look after it18:41
tewardand those security updates that happen automatically will need ***turned off*** if you use webmin18:41
synchronetI get it18:41
tewardor you will break things18:41
patdk-wkI normally only see security updates every other week, or less18:41
tewardit will break, and it will break things.18:41
patdk-wkbut that is better than monthly rollouts for me atleast18:42
tewardsynchronet: as a server administrator, and a security guy, you can use webmin if you want, but we don't support it, we don't endorse it, we recommend NOT using it, and you will use it at your own risk18:42
synchronetteward: got ya18:42
synchronetwill just relay that on18:42
tewardto whom18:42
tewardor your IT admins :p18:42
synchronetVM irc18:42
tewardwhy are we playing relay tag again?18:43
synchronetits important18:43
tewardagain, *why* are we playing relay tag with a channel that isn't an Ubuntu channel?18:44
synchronetsome of use are trying to make a secure living using Linux18:44
tewardlearn the command line, where configuration files are, SSH connections, and the stuff that server administrators who actually get certified as such (like myself) have to learn.18:44
synchroneteven so webmin etc say Ubuntu is a GRADE A OS you dont support it!18:45
* teward grumbles18:45
sarnoldyikes, if you're using webmin firewall the living hell out of -that- too18:45
synchronetwhat CP for webhoster do you recommend then?18:45
tewardy'know what, I'm going to chalk all this up to "user and upstream stupidity", and going to do something actually productive, like clear the "TODO" items off my worklist for Yakkety...18:45
darko0Hey guys! I'm thinking of setting up a ubuntu server for webhosting on Linode and currently my main concern is security setup.. Could anyone point me in the right direction to set that up a guide/tool or whatever , thx for the help!18:45
sarnoldthe most common causes of breakins are: (a) brute-forced ssh passwords (b) vulnerabilities in those terrible "control panel" programs18:46
synchronetnoob here just trying to use the tools out there18:46
synchronetwhy dont Ubuntu do a web hosting CP?18:46
synchronetcharge a few bucks18:47
JanCsarnold: well, and all sorts of web apps in general18:47
sarnoldJanC: true, but something about control panels attracts the worst programming discipline :(18:47
synchronetUbuntu server and the new Ubuntu web hosting CP, would sell no?18:49
sarnoldit's kind of a niche market thse days... fifteen years ago, maybe18:49
synchronetwho needs cpanel, direct admin, Virtualmin etc after18:49
synchronetfood for thought18:50
synchronetniche market, using a linux server for webhosting??18:50
sarnoldthese days folks just roll out something on digital ocean or amazon s3 or whatever, it's cheap, they've got full control over their own site..18:50
sarnoldtwo thousand users on a host is just not as common as it once way18:51
JanCthere are a couple of CP that were designed to be used with Debian/Ubuntu, IIRC18:51
tewardsarnold: s/way/was/18:51
synchronettalking about dedicated18:51
synchronetto be honest I dont think any of you really know what your doing18:52
synchronetand chasing after what suits your needs18:52
Baesarnold, hello18:52
sarnoldsynchronet: all I'm saying is if you're going to use programs with such terrible security histories, _please_ take precautions.18:52
tewardsynchronet: if you don't think we know what we're doing, the exit is over there --->18:52
sarnoldsynchronet: confine your ftpd with apparmor..18:52
tewardyou are the one who came here with questions ;)18:53
Baei came back to ask you question about apparmor if you do not mind. since you already know my specific config sorta. sarnold18:53
sarnoldsynchronet: confine your web control panels with firewalls18:53
Baebtw are you a developer?18:53
Baeof apparmor i mean18:53
sarnoldhey Bae :) how you're doing today?18:53
tewardBae: sarnold's on the Security Team18:53
Baehey sarnold im fine thx. how are you?18:53
Baesick ass18:53
sarnoldBae: well, sort of. I don't actually write much code for it but I've been working on apparmor for ~16 years :)18:53
Baenice to have u here18:53
patdk-wkdid apparmor nesting land for lxc?18:54
patdk-wkif so, I didn't figure it out :)18:54
Baeso my question is what is the purpose of logprof sarnold. according to this http://www.howtogeek.com/118328/how-to-create-apparmor-profiles-to-lock-down-programs-on-ubuntu/ it seems like you can create profiels from logs after running the profile normally in complain mode?18:54
sarnoldpatdk-wk: not et18:54
patdk-wkno wonder I couldn't get it working yet :)18:55
sarnoldpatdk-wk: john wrote some docs http://wiki.apparmor.net/index.php/AppArmorStacking#Using_Stacking_in_combination_with_Policy_Namespaces  -- I haven't looked at them yet18:55
sarnoldBae: yeah aa-logprof can do that for programs that you've started running; if you're creating a profile from scratch you can use aa-genprof and it will automate the aa-logprof steps for you18:56
Baesarnold, ah so my steps would be if i set complain mode on my nodejs program for example. and say the nodejs program starts up, accesses /home/user/directory1 and then accesses /home/user/directory2 then does some other network shit. this will all get logged. then if i tell apparmor to generate logs it will blacklist ALL other directories and ONLY whitelist those 2 directories and the networking shit? is that what it does?18:57
sarnoldBae: mostly. it'll ask you a question about every log entry. if some of your answers covers log entries it hasn't reached yet, it gets to skip those :)18:58
Baesarnold, when will it ask me questions about log entries? when i do the aa-logprof command?18:59
sarnoldBae: yes18:59
Baesarnold, so basically it will look at everything i've done when i perform every possible functionality of the app, then ask me is this ok? is that ok? and then if i say yes and no, it will generate a profile automatically for me and then i can run the enforce mode to enforce that profile so that every possible command of the nodejs app can be done. and anything outside of that will be blocked?19:01
sarnoldBae: right19:01
Baedamn thats really smart19:01
sarnoldyes :)19:02
patdk-wkand then all is good, till you expand your node app19:02
patdk-wkand you can't figure out why you keep getting permission denied errors19:02
patdk-wkand forgot to look at dmesg19:02
Baepatdk-wk, if it came down to that i will edit the nodejs app, upload it to the server. delete the current node app profile. and then logprof again19:03
patdk-wkthat would be really annoying19:04
patdk-wkjust run it on the new entries it is printing, or add them manually19:04
patdk-wkthen just append19:04
Baemaybe i will just do that yes patdk-wk19:04
Baesarnold, how is the scope of this? if nodejs accesses a file say /home/user/directory/file.txt. is the apparmor generated profile going to blacklist everything else and ONLY whitelist /home/user/directory/file.txt in logprof ?19:05
Baelike what is the default way that app armor works? blacklist everything and whitelist a few things?19:05
sarnoldBae: it'll ask you what you want to do; you could answer "allow" and only that file will go in the whitelist. Or "glob" and /home/user/directory/* will be added. "glob ext" will add /home/user/directory/*.txt. "glob ext glob ext" will give you /home/user/**.txt. And so on. :)19:06
sarnoldBae: exactly19:06
sarnoldBae: the 'deny' rules can subtract accesses but that's subject to the usual "blacklists aren't safe" reasoning.19:07
Baeyeah i dont like that deny shit tbth19:07
Baei like blocking to everything EXCEPT the things i need19:07
sarnoldit's sometimes useful19:08
sarnoldand apparmor also allows you to use the 'deny' keyword to silence the logging when you know something is doing something stupid19:08
sarnoldfor example, everything linked with kerberos tries to write to /etc/keytab.something as part of startup -- the intention is that they fail if they can write to it19:08
sarnold.. but _every_ _program_ doing this is annoying :) so add the 'deny' rule to the profile and apparmor will be silent about those.19:09
Baesarnold, question. if nodejs app calls another binary in the bin folder and apparmor profile contain catches that, can i tell apparmor to put the other binary as an "ix" mode in the nodejs app profile ???19:10
Baeprofile complain*19:11
Baeas in is there way to send the "ix" command from the logprof method ?19:11
Baeor do i have to generate the logs, then open the profile file then manually add ix where need be?19:11
Baetbh any other binary the nodejs app calls i will probably do ix just to make sure those bins can only access the file directories that my nodejs app can access19:11
patdk-wkI whitelist stuff19:12
patdk-wkbut I also blacklist stuff, to keep down log noise19:12
patdk-wklike things the app does, that I don't want to work :)19:12
sarnoldBae: yes, logprof will let you pick between px, ix, cx, ux, as appropriate :) it also makes it hard to e.g. pick 'px' for /bin/grep, etc., because that'd wreck your day.. :)19:13
patdk-wkux all the stuffs19:13
* sarnold kicks patdk-wk19:13
Baewow are u a hacker19:14
patdk-wkhmm /usr/bin/* ixr,19:14
patdk-wklooks like that is what I'm mainly using is ixr19:15
Baeman this apparmor shit is cool af19:15
sarnoldpatdk-wk: oh yeah that's fine :)19:15
patdk-wkfun php one, owner @{WWW_DIRS}/phpsessions/?/?/* rwk19:15
patdk-wkhad to use, to make sendmail work, owner /var/spool/mqueue-client/* rwk19:17
patdk-wkrun this app in total confinement19:18
Baesarnold, does apparmor by default blacklist all things and whitelist certain things (as described in complain mode) ?19:22
patdk-wkdefine default?19:22
patdk-wkif you setup an empty profile, it will audit deny everything19:22
patdk-wkdepending on how you switch into it19:23
Baepatdk-wk, yeah say i put something in aa-complain mode. then ran it. then generated with logprof. at this moment in time, is apparmor going to generate an profile with everything blacklisted BUT my specifications whitelisted?19:23
patdk-wkdepends, it will make that profile, yes19:24
sarnoldBae: yes; try this: cp /bin/bash /tmp ; echo "/tmp/bash { /tmp/bash rix, /bin/* rix, /usr/bin/* rix, }" | apparmor_parser --reload     and then run /tmp/bash, see what happens ;)19:24
patdk-wkbut I'm not sure if it will override the calling or not19:24
Baeoh i see19:24
sarnoldBae: start with somethin gnice and small and see what happens :)19:24
patdk-wkcan't remember how the calling works, for switching, maintaining and adding, ...19:24
patdk-wkas I always use, swapping :)19:25
patdk-wkchangehat :)19:25
Baeok thanks guys. it answers all my questions this has been great :)19:25
patdk-wkwhat those ux, ix, px, ... mean19:25
Baeheh. all i know is i like ix most19:26
Baeprobably ixr. yep19:26
patdk-wkix if I remember right is, include restrictions and execute19:26
patdk-wkclose enough :)19:26
Baeyeh pal19:26
sarnold"profile exists"19:27
patdk-wkhmm, kindof like wrapping your program into one of these? http://www.ostrichpillow.com/19:32
Datzsarnold: Thanks for the advice yesterday with my DNS resolving issue (adding nameserver to /etc/resolv.conf.  A little to add to that. I had configured the machine for a static address in /etc/network/interfaces which seems to be defined correctly. Today I checked /etc/resolv.conf after ping failed to resolve DNS, or course it was overwritten. So I started checking in /etc/resolvconf/resolv.conf.d/ as you suggested 21:36
DatzHopefully that wasn't cut off^21:37
DatzThat loong post is really directed at anyone.21:38
sarnoldDatz: the last thing that went through was "as you suggested"21:39
Datzas you suggested yesterday to have it added automatically. I noticed in /etc/resolvconf/resolv.conf.d/original there's a nameserver for the wrong gateway, the one for where I set the machine up instead of the one for the current location. This seems like a bug?21:40
DatzI edited it for the gateway where it currently is, but it really seems like it should reidentify and be overwritten21:42
DatzThere could also be something wrong with my gateway/router21:42
sarnoldDatz: I think the "original" file is just one that resolvconf stuffs away in case you need it21:47
DatzAh, I see.21:48
DatzLooks like everything else in /etc/resolvconf/resolv.conf.d/ is basically empty21:49
sarnoldDatz: yeah; the 'head' gets prepended to the /etc/resolv.conf that it generates21:50
Datzah, interesting, so I could define a nameserver there?21:51
tewardDatz: yes, you could21:51
DatzNeat, I bet there's docs on it(i hope) I'll have a look. THanks21:52
tewardin fact, this is what I do on my local Ubuntu 14.04 laptop, which runs its own bind9 resolver, because I have a lot of different DNS rules21:52
tewardthere isn't, really21:52
Datzok, I can just add "nameserver" then?21:52
tewardbasically, under the two commented out lines (with # at the beginning), put this: nameserver
tewardreplace accordingly21:52
Datzah, gotcha, thanks21:52
DatzI can add one for redundancy also in the same format I suspect.21:53
sarnoldsince "unreachable nameserver" takes an absolute eternity, you'll probably want to just fix whatever unreliability is in a nameserver :)21:53
sarnoldit's like six seconds or something outright intolerable21:54
Datzhead also warns that changes will be overwritten21:55
JanCthere is documentation in /usr/share/doc/resolvconf/README.gz21:55
sarnoldyes, that's how the warning makes it into /etc/resolv.conf :)21:55
Datzheh heh21:55
DatzOn a completley unrelated note, I thought that ZFS was now the default FS in 16.04, but it looks like I'm on ext4.21:56
sarnoldseriously though you can reach the other side of the planet in about 250 ms or so. four trips around the world, one second, yeah alright..21:56
skylitewhich one is faster NFS or samba? I cant see clear answers to that anywhere21:56
JanCext4 is default, ZFS is available21:56
sarnoldI guess six seconds is long enough that it's so terrible you actually go investigate -why- it's broken21:56
bekksskylite: NFS has a smaller protocol overhead.21:57
sarnoldif it was one second you might not bother, or just think something else is broken..21:57
DatzJanC: Ok thanks.21:57
sarnoldDatz: zfs on root currently takes some work21:59
sarnoldit's possible but I decided for myself that it was too much effort21:59
JanConce we've colonized Mars we'll have to increase that 6 sec though  :)21:59
Datzsarnold: gotcha. I hadn't looked into it, I just noticed that's what was mentioned in ol reliable Wikipedia.22:00
sarnoldJanC: mars will doubtless run their own recursors :)22:00
sarnoldDatz: zfs is awesome stuff; here's a nice series of blog posts https://pthree.org/2012/12/04/zfs-administration-part-i-vdevs/22:01
DatzCool, I'll take a look.22:01
=== ianorlin is now known as lynorina
=== lynorina is now known as lynornian
=== nacc is now known as Guest64822
=== nacc_ is now known as nacc
=== JanC is now known as Guest59129
=== JanC_ is now known as JanC

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!