[00:00] What changed in regards to setting up a static ip on 16 vs 24? [00:00] thanks [00:00] vs 14* [00:00] "no longer works", what fails? [00:00] it doesn't set the assigned ip [00:02] sarnold: this is what my image came with: http://pasted.co/212f34e7 [00:02] I do not recognize the last line from ubuntu 14 [00:02] sarnold: I have a feeling the problem's there [00:04] HappySomethingSo: what is your interface named? 'ip link' should show you the name; add your configuration to the file, then try to bring it up with ifup [00:04] sarnold: in /etc/network/interfaces.d I have a file named 50-cloud-init.cfg with this in it: http://pasted.co/e213548b [00:04] HappySomethingSo: aha, does that match your interfacename? [00:04] HappySomethingSo: do you want it to use dhcp? [00:05] sarnold: Any .cfg files he makes in interfaces.d get wiped out next boot, any changes he makes to the existing file there also get reverted [00:05] sarnold: yes, eth0 is now enxb827eb7c6bae apparently. I ant to use a static ip [00:05] not dhcp [00:06] sarnold: ( we were just going through this issue in #ubuntu and I referred him here for more specific help ) [00:06] hey genii :) [00:07] * genii waves [00:08] HappySomethingSo: are you using cloud-init intentionally? if not maybe the easy answer is uninstalling it [00:09] sarnold: it's a fresh image, I haven't touched anything [00:09] what exactly is cloud-init? [00:10] cloud-init makes it easy to fire up VM images (or actual hardware, in the case of MAAS) and have them "autodiscover" their configuration: networking, package repositories, new users, packages to add, etc. I find it a bit underdocumented but they have some nice examples up that give the flavor of what it does: http://cloudinit.readthedocs.io/en/latest/topics/examples.html [00:11] sarnold: I see, well if it came preinstalled I'd rather not meddle with it [00:11] ok [00:11] I think I've got it [00:11] that explains it, "50-cloud-init.cfg" is created by cloud-init, so of course it'll get overwritten [00:12] HappySomethingSo: interesting, this feels like it might also interact poorly with this bug https://bugs.launchpad.net/cloud-init/+bug/1571004 -- but I'm not 100% sure .. [00:12] Launchpad bug 1571004 in cloud-init "apply networking only on first instance boot" [Medium,In progress] [00:12] Now that my curiosity is sated, I'm off to watch hockey [00:13] sarnold: genii: TJ-: I managed to get the static ip working, I edited /etc/network/interfaces like usual but used the new interface name instead of eth0 (which is werid because it was called eth0 on the 50-cloud-init file until I rebooted it a couple of times) [00:14] HappySomethingSo: and it sticks across reboots? [00:14] sarnold: I've rebooted it twice more and it seems like it's staying on the desired ip [00:14] so it was a problem with the interface names [00:15] thank all of you for your help [00:15] HappySomethingSo: excellent, I'm glad that was sufficient. :) like I said, I find cloud-init underdocumented, so I feared trying to find the fix if something simple didn't do it. :) [00:15] I was quite lost [00:15] :) [00:15] there's Good Reasons for these new interface names but it's going to take me another twenty years or something to get used to them. [00:16] sarnold: yeah, I thought something had gone wrong and that it was an error when I first saw the new name [00:18] understandable :) [02:08] Hi, I'm having trouble network troubles with my install of 16.04. I can't install packages, and I can't ping outside servers. I'm currently logged in remotely though. I think there is some sort of DNS trouble. Any ideas? [02:09] can you ping by ip address? try e.g. ping 8.8.8.8 [02:11] This is what I'm getting trying to install a package : http://hastebin.com/iwozasesig.vhdl [02:12] sarnold: yes, I can [02:12] Datz: alright, cat /etc/resolv.conf -- that should list some nameservers. ping each one in turn.. [02:13] ok [02:14] sarnold: resolv.conf appears to be two commented lines long [02:14] Datz, on 16.04? [02:14] yes [02:14] then you suffer this bug, https://bugs.launchpad.net/ubuntu/+source/appstream/+bug/1579712 [02:14] Launchpad bug 1579712 in appstream (Ubuntu Xenial) "Refresh hangs due to strdup on non-NULL terminated string" [Medium,Fix committed] [02:14] think so.. just installed today [02:15] lot of heat.. remove it, and you'll be fine, patch is in proposed [02:15] OerHeks: .. how does that bug lead to busted dns? [02:15] you don't need that appstream , it is optional [02:15] so run sudo appstreamcli refresh --force ? [02:15] sarnold, not sure how, but removal fixed it for a lot of users in #ubuntu [02:15] OerHeks: ouch :/ [02:16] i know, ugly fix .. [02:16] Datz: well, lets try OerHeks's suggested fix :) apt-get purge appstream [02:16] ok, will do [02:17] OerHeks: did they need to do anything else along the way? re-poke apt in the eye or reboot or something else? [02:18] ehm, good point. after removal, i would (try) to rerun apt update [02:18] purged.. still not resolving. [02:18] actually, the package in -proposed doesn't fix that bug :) [02:19] #30 john wang - The reason I warned against removing the binary is because it's a bad practice in general, even though in this particular problem scenario the removed binary gets restored when its package is upgrade [02:19] :-( [02:20] or, wait, maybe it's because it tried to install appstream before libappstream or something [02:23] right, that was it [02:23] So, is there a workaround or fix, or am I holding tight for now? [02:24] OerHeks: I think that was specific to the "rm /usr/bin/appstream*" advice or whatever it was [02:25] Datz seems to have a DNS issue [02:25] Datz: well, as a half-ass solution you could try adding "nameserver 8.8.8.8" to your /etc/resolv.conf by hand; that'll use google's public resolver [02:25] JanC: OerHeks said the appstream screwup broke a bunch of people's dns. it seemed worth trying. [02:26] I like the sound of htat [02:26] that* [02:26] I think I've had to do this before actually. Maybe something with my network instead. [02:27] if you've got a dhcp server that hands out leases without giving you dns server info that might be able to do it [02:27] but tbh since I never see that situation that's a wild guess [02:28] more info now on the bug page [02:28] https://bugs.launchpad.net/ubuntu/+source/appstream/+bug/1579712 [02:28] Launchpad bug 1579712 in appstream (Ubuntu Xenial) "Refresh hangs due to strdup on non-NULL terminated string" [Medium,Fix committed] [02:28] sarnold: I'm not sure if that's the case or not. Adding that nameserver does seem to fix the problem though. [02:29] Will that nameserver be overwritten as stated in the comments of resolv.conf ? [02:30] Also, I guess I can add back appstream? [02:30] Datz: meh, as far as I can tell appstream just downloads 8 megabytes of icons incase you want to browse gnome-software-center or something like that. If you're in here asking for help you'll probably never notice it's gone. ;) [02:31] Ah, yes.. no gui.. ok guess I don't need it. Surprised it was added with the netinstall. [02:32] Datz: it's possible that the file will be re-written to be useless. if that keeps happening you can either uninstall the resolvconf package or you can figure out the /etc/resolvconf/resolv.conf.d/ files to re-add this.. [02:33] sarnold: great I'll make a note, and try and do this. Thanks. [02:33] Datz: note that there's half-billion people in the world using the google dns recursor -- while there's some safety in numbers, it feelsl ike I ought to let you know that that -is- a step outside of whatever the machines next to you might be doing [02:34] Datz: so e.g. local hostnames may not resolve correctly, or a local cache may do a better job for you. (or google's might be faster. most ISPs suck at running DNS so many people do get better results with google...) [02:36] In the past I've added google's DNS servers without every really thinking about it. Maybe my isp is better ,I don't know :) [02:39] I assume I can add some redundancy.. [02:41] funny thing with dns, redundancy isn't always better -- finding one server that works is way better [02:41] and dns is super strange, the recursors get far better the more traffic they have [02:41] if they have all data already cached because someone else asked for a second ago, you'll get a muchf sater response.. [02:42] one hot recursor is almost always better than two cool recursors [02:42] in stark contrast against e.g. web servers where multiple cool servers are usually better than one hot server :) [02:44] it depends on how hot, of course [02:45] webservers use lots of caching too (filesystem cache, database table/query cache, memcached, etc.) [02:46] yeah, if you can get webserver ram served stuff, that's best :) [02:50] sarnold, depends :) [02:50] patdk-lap: just buy more ram of course! :) [02:50] caching helps, but not tuning the recursor properly and giving it too much ram [02:50] can cause it to get slow as crap [02:51] ya, but unlike most things, dns is one huge hash table lookup, can cause all kinds of issues when it gets large [02:51] you talking normally about caching 200bytes or so maybe 1k per entry :) [02:52] hot webservers are good, just not *hot* cgi/fcgi/... servers :) [02:53] * patdk-lap can't imagine what it would take to run 10k r/s wordpress site, without static caching [02:54] but 10qps dns recursor ought to be standard desktop thing :) [02:55] 10qps dns is less than a web browser does :) [02:56] of course i meant 10kqps :) [02:56] 10qps .. well, tandy 1000 :) [02:57] tandy 1000 would have zero memory left for caching probably :P [02:58] sarnold, dunno [02:58] my large dns installs, are only doing 1kqps recursive, and 300qps authorative [02:59] using two primary large recursives, and tiny ones on the smtp servers [03:51] the link to hp moonshot on the arm server page is broken btw [03:51] http://partners.ubuntu.com/hp?_ga=1.169315112.868843675.1460222902 [03:51] http://www.ubuntu.com/download/server/arm down at the bottom [06:39] Hi. I am having some trouble starting nfs-kernel-server as rpcbind starts after the nfs service. any thoughts? I see that nfs service is started by init script while rpcbind is already converted to systemd unit [06:41] I've found bug #1558196 .. but the solution provided makes no difference [06:41] bug 1558196 in rpcbind (Ubuntu) "ypbind not able to socket activate rpcbind under systemd, fails at boot unless something else starts rpcbind" [Undecided,Triaged] https://launchpad.net/bugs/1558196 [07:01] Anyone knows if the "lo" interface is added by the kernel in Ubuntu? [07:01] Even after emptying the "/etc/network/interfaces" file it is added. [07:02] halvors, lo is added by networking service or network-manager [07:02] having lo is essential to many services running on linux [07:04] Yeah, the thing is that i want to disable the "network" service in favor of "systemd-networkd" [07:05] halvors, having "lo" does not impact you then.. either way you will need it. [07:06] it might be brought on by systemd.. i have not checked that yet.. [07:07] AtuM: Yeah i know, just wondering if it's added by ifupdown or systemd :) [07:07] Not going to remove it. [07:07] AtuM: Do you know how to disable ifupdown? [07:07] halvors.. check /etc/init/network-interface.conf.. there are some definitions there.. [07:08] systemd still needs configuration files to do anything [07:08] Yeah i know. [07:09] in the mentioned conf file it is stated for "lo" : # bring this up even if /etc/network/interfaces is broken [07:09] so there you have it [07:11] halvors, no, i've never tried to disable ifupdown. [07:12] Ah ok, thanks :) [07:13] how would i tell systemd to start rpcbind before nfs-kernel-server ? I'm doing a workaround by restarting both services inside rc.local, but i really do not like doing things this way [08:05] hi, I managed to configure my ubuntu server as a member to active directory. I have ids problem. [08:05] I also ran ldapsearch and it seems there's some kind of pre-defined list of attributes used by ldapsearch [08:06] I'm noticing the attributes I want to be mapped in /etc/ldap.conf are not listed in the LDIF query result. [08:10] ubuntu's defaults are not made for microsoft ad. you might need to adjust those attributes [08:35] sobersabre: schemas... [10:12] hey yall [10:13] I have a vpn question if i may? [10:19] i have tried setting up openvpn on my raspberry pi and moved client key to phone and used openvpn client on android phone, but the connection just stays at 'waiting server response' [10:19] After trying many times various openvpn guides, i have decided to go back to using pptp, which i have set up before [10:20] is there a way a making pptp a bit more secure? Limiting to a specific device to connect from etc? [10:20] not completely ubuntu-server, but i am trying to connect to my network to get access to my owncloud/subsonic, which is on ubuntu server [10:20] thank you in advance [10:21] I wouldn't trust pptp. I'd focus on making openvpn work. [10:22] It might be worth running tcpdump on the server to see if two way traffic is getting through. [10:23] davethenoob: first thing on the server-side is consult and watch the logs, having enabled additional verbose debug log messages [10:27] jamespage: chown -R root:neutron /etc/neutron/ in neutron-common.postinst breaks our deployment, was this added recently? [10:28] hmm okay [10:28] ill give it another go [10:28] frickler, not changed for a long time... [10:29] Date: Thu Apr 30 15:29:57 2015 +0200 [10:29] was the last touch on that file - and tbh that was the creation of the git repo its in... [10:29] how does tcp dump work? Do run it and then connect from phone client? [10:30] jamespage: ok, well, nevermind then, nothing that a decent chef-client run couldn't fix ;) [10:30] can anybody recommend a good step by step guide for installing openvpn on raspberry pi? Ive tried a couple and one video guide. [10:31] try #raspberrypi or #openvpn [10:38] davethenoob: "apt-get install openvpn" and add a config in /etc/openvpn/server/ I think it is [12:08] coreycb, added ironic, trove and nova-lxd to CI; ironic does not like xenial; nova-lxd foobar on newton generally [12:09] jamespage, ok [12:09] jamespage, we were 100% success at one point yesterday [12:10] coreycb, yup === Guest24582 is now known as devil_ [12:34] coreycb, ddellav: horizon bugs could do with some love. https://bugs.launchpad.net/ubuntu/+source/horizon/ [12:35] jamespage, I'll take a look [12:40] Hi, I'm having a little trouble after I updated from 14.04 to 16.04 [12:40] The problem I'm having is that suddenly none of my git repositories are working [12:42] http://pastebin.com/TLCBYxPA that's the error I'm getting when I'm trying to pull a repo. === chuck__ is now known as zul [13:44] udo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied [13:44] sudo* [13:45] ubuntu xenial 16.06 [13:45] what can be the issue? [13:45] 16.04, perhaps [13:45] but what is org.freedesktop doing on a server? [13:45] idk [13:47] * RoyK find systemd confusing [13:47] s/find/finds/ [13:48] o.O [13:48] its the Dbus path to the IPC damon [13:48] is it? [13:49] the path is the freedesktop specificied path [13:49] Sagar: as I asked in #ubuntu, did the system boot using Upstart? in which case that error would make sense [13:49] idk how can i check that? [13:49] possibly "cat /proc/cmdline" will have an 'upstart' or something on the line [13:50] cat /proc/cmdline => BOOT_IMAGE=/boot/vmlinuz-4.4.0-22-generic root=/dev/md1 ro rootdelay=10 net.ifnames=0 [13:50] Nope [13:50] "permission denied" ... have you modified the sudoers entries at all? [13:51] yes [13:51] Sagar: so you shot yourself in the foot? [13:51] i am root [13:52] this is my /etc/sudoers [13:52] http://pastebin.com/tChH3sFE [13:53] you're root but calling it with sudo? [13:53] how about just "systemctl status apache2.service ? [13:53] Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied [13:53] still the same [13:54] is it policy kit? [13:55] The error is coming via Dbus [13:56] then what should i do? [13:59] TJ-? [14:00] Sagar: well first I'd return to a vanilla sudoers to determine if those changes are responsible or not (generally its' better not to edit /etc/sudoers but add an additional file with e.g. "visudo -f /etc/sudoers.d/my_admins " [14:00] Sagar: I'd also do a reboot in case this is a one-off [14:01] rebooted already [14:02] i just removed php from my server [14:02] after that iam getting these issues [14:03] Did something else get removed too? check the /var/log/apt/history.log and /var/log/apt/term.log in case [14:11] coreycb, 12 packages togo until 1000 uploads... [14:12] jamespage, ha! where do you see that? [14:12] coreycb, https://launchpad.net/~james-page/+uploaded-packages [14:13] jamespage, that's got to get a karma bonus :) [14:13] I'm waiting for achievement unlocked to resound across my office.. :-) [14:13] sarnold: So, did HappySomethingSo's issue last night end up to be cloud-init, in the end? [14:14] jamespage, lol [14:26] jamespage, I'm fixing cinder for newton [14:26] coreycb, microversion-parse is in unstable; I missed two copyright holders for monascaclient - sorting that now [14:26] jamespage, ok [14:28] ddellav, I see you signed up for glance in the spreadsheet. it's building ok so I think we can hold off until the next breakage. [14:30] ddellav, did you do some work on oslo.cache? I see you have it marked as done [14:30] ddellav, let me know if you need a sponsor [14:46] I have a router running linux and a problem with a TCP connection that comes in another interface than it went out is being dropped somehow. This is IPv6, does the kernel do any reverse path filtering? [14:54] Ahoy all, I'm looking for help / advice on setting up an IRC server on a dedicated Ubuntu server, the purpose of which is to create a web based IRC chatroom on a website. [14:54] ezicial: it's probably much easier to use an existing irc network to create a channel [14:54] unless you have good reasons not to use one [14:55] Sling: nope no good reason, we just have the dedicated server so thought why not, it could be interesting... [14:56] ezicial: having a communication channel on another server is especially useful if you want your community to still be able to reach each other when the server is down :) [14:56] there is also webchat.freenode.net already [14:58] Also I have no idea what the rules are with regards to freenode, etc.'s policy on creating chatrooms for a particular site. In this case an internet radio station. [14:58] Don't want to step on any toes if it can be avoided. [14:58] ezicial: #freenode can help explain [15:01] Out of interest sake though, is there any reason not to create our own IRC server other than possible down time (which doesn't really apply since the website is hosted on the same server anyway)? [15:01] i am getting this error [15:01] root@wolf:~# sudo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied [15:01] coreycb ok i'll hold off on glance and yes, oslo.cache is ready, i'll push the repo and send you the link for sponsor directly [15:01] what could be wrong? [15:04] ddellav, ok. feel free to grab broken packages to work on that have a red dot on the ci dashboard. we're at a point now where most everything is successful and we can spend a little time each day on daily maintenance. [15:04] ddellav, how's heat? [15:06] coreycb ok, i'll keep an eye on the dashboard. Heat is done. It seemed to create the config properly the way I had it but I updated it with your suggestions. I'll re-push in a minute [15:08] ddellav, jamespage: I pushed a new version of cinder for newton, that should fixup today's failure [15:10] ezicial: no, not particularly, but irc servers are not very widely used as packaged, so you might find some rough corners as you try to set it up [15:13] maswan: yep, already seeing some of those rough corners... [15:27] i am getting this error root@wolf:~# sudo systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied [15:54] coreycb lp:~ddellav/ubuntu/+source/oslo.cache ready to go, heat is having build failures after i changed d/rules, looking at them now [16:07] anyone who could tell me why i am getting permission denied issue on root@wolf:~# systemctl status apache2 => Failed to get properties: Failed to execute program org.freedesktop.systemd1: Permission denied [16:15] coreycb i think what happened with heat was because i moved my changes to the master branch and there are dependency issues: https://launchpad.net/~ddellav/+archive/ubuntu/xenial-newton/+build/9778758 [16:16] ddellav, did you bump those requiremetns up? [16:16] coreycb i did not touch d/control at all. Only change I made was to d/rules [16:17] ddellav, that's odd. send me a link to your package. [16:17] coreycb however jamespage did have an unreleased version bump in the repo that my changes attached to [16:17] ddellav, that's probably just daily ci fixes [16:18] coreycb lp:~ddellav/ubuntu/+source/heat [16:18] ddellav, fwiw heat is building ok. 4 successes today. [16:18] on the daily build ^ [16:20] ddellav, you'll need to build that with the daily snapshot, so use the daily snapshot process [16:21] ddellav, also leave the version as 0ubuntu1 [16:21] ddellav, wait... [16:21] waiting [16:21] ddellav, nevermind, yes do that and we won't upload the fix until b1 [16:22] coreycb remind me what is the daily snapshot process? Is that the pastebin james posted about core releases? [16:22] ddellav, oh and the depwait you're getting is because you're building it in a xenial ppa [16:22] ddellav, yes [16:22] ok, i'll use yakkety [16:23] service apache2 start doesn't show any output, i am on ubuntu 16.04 xenial [16:28] does anyone know if the 70-persistent-net.rules udev interface tricks should work in 16.04 ? I have a server that can’t decide if the NIC is rename3 or rename5 ;( [16:32] service apache2 start doesn't show any output like it used to starting/running .... apache2 [ok], i am on ubuntu 16.04 xenial [16:32] Hello - I have an Ubuntu 14.04 LTS web server and I am trying to make some changes to its behavior. Currently, I have each user's web page within their home folder (for example, www.foo.com would be /home/foo/www). The problem I'm running into is that each time a file is added, permissions have to be re-set to allow that file to be accessible by Apache. I am trying to eliminate that. [16:32] What I was thinking was create /var/www/foo.com and give the user mike and group foo permission to this, then create a symlink from /home/foo/foo.com to /usr/var/foo.com. The problem I'm running into is that when I ftp into foo's account, and try to browse to the symlink, I get permissions denied. What would be the best way to go about setting foo's web folder access so that any newly [16:32] created files will be accessible by Apache? [16:33] coreycb i rebuilt on a yakkety-newton ppa and its still complaining about monasclient. In the spreadsheet james noted the latest build also has a depwait on it for his system as well [16:35] ddellav, ah. ok. let me review and upload it to directly to the testing ppa for newton. [16:36] ddellav, let me know when it's fixed up (--> 0ubuntu1) [16:37] coreycb: ok, I'll fix that and repush. [16:42] coreycb: ok it's fixed. [17:14] ddellav, oslo.cache pushed/uploaded, thanks [17:21] ddellav, heat's pushed and I manually kicked off a daily build for the newton combinations [18:00] what is the command to get a service to start at boot? [18:03] check the man but usually default setting [18:06] If you use the regular update-rc.d way, systemd will execute it the same way sysvinit would have previously [18:07] I tried the update-rd.c defaults path, and when I reboot, still nothing [18:11] jeeves_moss: Old but still relevant Debian step-by-step: https://debian-administration.org/article/28/Making_scripts_run_at_boot_time_with_Debian [18:12] perfect, thanks. I'm going to need to do some self signed certs, and push this out. [18:19] Hello: I am using Ubuntu 14.04. I have set up a web server where I have multiple users on system, each having their own sites. [18:20] For example, user foo may have bar1.com and bar2.com as domains, so they would have /home/foo/bar1.com and /home/foo/bar2.com. We use VSFTPD to upload files to the server [18:20] When I create directories, I create them with permissions of 775 [18:21] However, when files are uploaded, they are given permission of 600. What changes do I need to make in vsftpd to where permissions, by default, are 775? [18:23] riz0n: if your using 14.04 make sure if your using proftpd to comment out the mod_copy.c in modules.conf [18:23] or you will be hacked sooner or later [18:24] Ubuntu dont care [18:24] ok so let's try something else (because I don't wanna be hacked0 [18:25] Here's what I'm aiming for [18:25] vsftpd should be fine [18:25] if your using proftpd then yes, either comment that module out etc [18:25] When individual users add files to their web directory, I want it to have the proper permission so that Apache doesn't throw up a 500 or 403 [18:26] riz0n: unless you have a lot of other controls in place, you shouldn't have web files running from a user's home directory [18:26] synchronet: if you're going to use proftpd instead of vsftpd you should go through the list of open CVEs against it http://people.canonical.com/~ubuntu-security/cve/pkg/proftpd-dfsg.html [18:26] sarnold: its a Virtualmin thing [18:26] they use it [18:26] hate my IRC client [18:27] sarnold: I have moaned enough [18:27] should be fixed [18:27] virtualmin... [18:28] I did not have any of these problems until I upgraded to 14.04. But I was also giving people access to SSH. To eliminate that, I set their shell to /bin/false and they can use FTP (I do have encryption support in vsftpd) [18:28] yeah you can find it on Google, nice virtual server software [18:28] synchronet: yikes, if you're going to use virtualmin be sure you've got that firewalled to only your specific IP address [18:28] VM is for webhosting [18:29] riz0n: I would instead put user web docroots in /var/www/${USER}/public_html or similar, set up a symlink in the user's home directory to that, and set permissions such that you then execute the following on that directory: chown ${USER}:www-data /var/www/${USER}/; chmod 2750 /var/www/${USER}/ [18:29] yet the still use profpd etc [18:29] proftpd [18:29] so, don't use webmin/virtualmin [18:29] riz0n: that way, the web server can't traverse (unless it's not jailed or configured right) into user home directories, but the user can edit/create things and still the webserver will be able to access [18:30] its a well know exploit [18:30] known [18:30] JanC: maybe not use Ubuntu 14.04? [18:30] as you ship it [18:31] took you ages to sort the headless server reboot problem in Grub [18:31] !webmin [18:31] webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system. [18:32] there is no proftpd in Ubuntu by default and no virtualmin in it at all [18:32] ..so there's that... [18:32] that cannot be possible [18:32] hangon, will ask [18:36] !webmin [18:36] webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system. [18:36] oh, he already did that [18:37] Webmin works quite well with Ubuntu and Debian. It's also considered a Grade A supported distro. Was the reply [18:38] I said, Quire well? [18:38] Quite [18:39] synchronet: Webmin is not provided in the repositories [18:39] Geez is Webmin and Virtualmin a second hand car dealer? [18:39] synchronet: it does some oddities in it that make it incompatible with how the systems actually work under the hood [18:39] teward: not trusted etc?? [18:39] oh, you can use them if you want [18:39] synchronet: not trusted, doesn't work correctly alongside other utilities, botches configuration storage paths at times, etc. [18:39] synchronet: you can install it if you want, but we don't support it here [18:39] just if you do, NEVER update your system automatically [18:39] synchronet: you also are going to have to NOT enable any automated updates [18:40] because webmin doesn't work well with that [18:40] there will be death [18:40] works fine it appears but not have have Ubuntu endorsement? [18:40] synchronet: let me talk as a security guy then: [18:40] thats important [18:40] if you run webmin, its going to open you to vulnerabilities [18:40] many service scanners search for it, and hunt for exploitable paths as well [18:40] everything as vunrabilties I get your up^dates daily [18:41] and unless you are always on the latest of it, you will be opening yourself to hell [18:41] synchronet: i mean in webmin [18:41] NOT in the underlying software on Ubuntu [18:41] sure [18:41] you don't get security updates for webmin via Ubuntu [18:41] ok [18:41] you dont look after it [18:41] and those security updates that happen automatically will need ***turned off*** if you use webmin [18:41] I get it [18:41] or you will break things [18:41] I normally only see security updates every other week, or less [18:41] it will break, and it will break things. [18:42] but that is better than monthly rollouts for me atleast [18:42] synchronet: as a server administrator, and a security guy, you can use webmin if you want, but we don't support it, we don't endorse it, we recommend NOT using it, and you will use it at your own risk [18:42] teward: got ya [18:42] will just relay that on [18:42] to whom [18:42] webmin? [18:42] or your IT admins :p [18:42] VM irc [18:43] why are we playing relay tag again? [18:43] its important [18:44] again, *why* are we playing relay tag with a channel that isn't an Ubuntu channel? [18:44] some of use are trying to make a secure living using Linux [18:44] so [18:44] learn the command line, where configuration files are, SSH connections, and the stuff that server administrators who actually get certified as such (like myself) have to learn. [18:45] even so webmin etc say Ubuntu is a GRADE A OS you dont support it! [18:45] * teward grumbles [18:45] yikes, if you're using webmin firewall the living hell out of -that- too [18:45] what CP for webhoster do you recommend then? [18:45] y'know what, I'm going to chalk all this up to "user and upstream stupidity", and going to do something actually productive, like clear the "TODO" items off my worklist for Yakkety... [18:45] Hey guys! I'm thinking of setting up a ubuntu server for webhosting on Linode and currently my main concern is security setup.. Could anyone point me in the right direction to set that up a guide/tool or whatever , thx for the help! [18:45] np [18:46] the most common causes of breakins are: (a) brute-forced ssh passwords (b) vulnerabilities in those terrible "control panel" programs [18:46] noob here just trying to use the tools out there [18:46] why dont Ubuntu do a web hosting CP? [18:47] charge a few bucks [18:47] sarnold: well, and all sorts of web apps in general [18:47] JanC: true, but something about control panels attracts the worst programming discipline :( [18:47] hehe [18:49] Ubuntu server and the new Ubuntu web hosting CP, would sell no? [18:49] it's kind of a niche market thse days... fifteen years ago, maybe [18:49] who needs cpanel, direct admin, Virtualmin etc after [18:50] food for thought [18:50] niche market, using a linux server for webhosting?? [18:50] these days folks just roll out something on digital ocean or amazon s3 or whatever, it's cheap, they've got full control over their own site.. [18:51] two thousand users on a host is just not as common as it once way [18:51] there are a couple of CP that were designed to be used with Debian/Ubuntu, IIRC [18:51] sarnold: s/way/was/ [18:51] talking about dedicated [18:52] to be honest I dont think any of you really know what your doing [18:52] and chasing after what suits your needs [18:52] sarnold, hello [18:52] synchronet: all I'm saying is if you're going to use programs with such terrible security histories, _please_ take precautions. [18:52] synchronet: if you don't think we know what we're doing, the exit is over there ---> [18:52] synchronet: confine your ftpd with apparmor.. [18:53] you are the one who came here with questions ;) [18:53] i came back to ask you question about apparmor if you do not mind. since you already know my specific config sorta. sarnold [18:53] synchronet: confine your web control panels with firewalls [18:53] btw are you a developer? [18:53] of apparmor i mean [18:53] hey Bae :) how you're doing today? [18:53] Bae: sarnold's on the Security Team [18:53] hey sarnold im fine thx. how are you? [18:53] sick ass [18:53] Bae: well, sort of. I don't actually write much code for it but I've been working on apparmor for ~16 years :) [18:53] dang [18:53] nice to have u here [18:54] did apparmor nesting land for lxc? [18:54] if so, I didn't figure it out :) [18:54] so my question is what is the purpose of logprof sarnold. according to this http://www.howtogeek.com/118328/how-to-create-apparmor-profiles-to-lock-down-programs-on-ubuntu/ it seems like you can create profiels from logs after running the profile normally in complain mode? [18:54] patdk-wk: not et [18:55] no wonder I couldn't get it working yet :) [18:55] patdk-wk: john wrote some docs http://wiki.apparmor.net/index.php/AppArmorStacking#Using_Stacking_in_combination_with_Policy_Namespaces -- I haven't looked at them yet [18:56] Bae: yeah aa-logprof can do that for programs that you've started running; if you're creating a profile from scratch you can use aa-genprof and it will automate the aa-logprof steps for you [18:57] sarnold, ah so my steps would be if i set complain mode on my nodejs program for example. and say the nodejs program starts up, accesses /home/user/directory1 and then accesses /home/user/directory2 then does some other network shit. this will all get logged. then if i tell apparmor to generate logs it will blacklist ALL other directories and ONLY whitelist those 2 directories and the networking shit? is that what it does? [18:58] Bae: mostly. it'll ask you a question about every log entry. if some of your answers covers log entries it hasn't reached yet, it gets to skip those :) [18:59] sarnold, when will it ask me questions about log entries? when i do the aa-logprof command? [18:59] Bae: yes [19:01] sarnold, so basically it will look at everything i've done when i perform every possible functionality of the app, then ask me is this ok? is that ok? and then if i say yes and no, it will generate a profile automatically for me and then i can run the enforce mode to enforce that profile so that every possible command of the nodejs app can be done. and anything outside of that will be blocked? [19:01] Bae: right [19:01] damn thats really smart [19:02] yes :) [19:02] and then all is good, till you expand your node app [19:02] and you can't figure out why you keep getting permission denied errors [19:02] and forgot to look at dmesg [19:03] patdk-wk, if it came down to that i will edit the nodejs app, upload it to the server. delete the current node app profile. and then logprof again [19:04] that would be really annoying [19:04] just run it on the new entries it is printing, or add them manually [19:04] then just append [19:04] maybe i will just do that yes patdk-wk [19:05] sarnold, how is the scope of this? if nodejs accesses a file say /home/user/directory/file.txt. is the apparmor generated profile going to blacklist everything else and ONLY whitelist /home/user/directory/file.txt in logprof ? [19:05] like what is the default way that app armor works? blacklist everything and whitelist a few things? [19:06] Bae: it'll ask you what you want to do; you could answer "allow" and only that file will go in the whitelist. Or "glob" and /home/user/directory/* will be added. "glob ext" will add /home/user/directory/*.txt. "glob ext glob ext" will give you /home/user/**.txt. And so on. :) [19:06] Bae: exactly [19:07] Bae: the 'deny' rules can subtract accesses but that's subject to the usual "blacklists aren't safe" reasoning. [19:07] yeah i dont like that deny shit tbth [19:07] i like blocking to everything EXCEPT the things i need [19:07] exactly [19:08] it's sometimes useful [19:08] and apparmor also allows you to use the 'deny' keyword to silence the logging when you know something is doing something stupid [19:08] for example, everything linked with kerberos tries to write to /etc/keytab.something as part of startup -- the intention is that they fail if they can write to it [19:09] .. but _every_ _program_ doing this is annoying :) so add the 'deny' rule to the profile and apparmor will be silent about those. [19:10] sarnold, question. if nodejs app calls another binary in the bin folder and apparmor profile contain catches that, can i tell apparmor to put the other binary as an "ix" mode in the nodejs app profile ??? [19:11] profile complain* [19:11] as in is there way to send the "ix" command from the logprof method ? [19:11] or do i have to generate the logs, then open the profile file then manually add ix where need be? [19:11] tbh any other binary the nodejs app calls i will probably do ix just to make sure those bins can only access the file directories that my nodejs app can access [19:12] I whitelist stuff [19:12] but I also blacklist stuff, to keep down log noise [19:12] like things the app does, that I don't want to work :) [19:13] Bae: yes, logprof will let you pick between px, ix, cx, ux, as appropriate :) it also makes it hard to e.g. pick 'px' for /bin/grep, etc., because that'd wreck your day.. :) [19:13] ux all the stuffs [19:13] * sarnold kicks patdk-wk [19:14] wow are u a hacker [19:14] hmm /usr/bin/* ixr, [19:15] looks like that is what I'm mainly using is ixr [19:15] man this apparmor shit is cool af [19:15] patdk-wk: oh yeah that's fine :) [19:15] fun php one, owner @{WWW_DIRS}/phpsessions/?/?/* rwk [19:17] had to use, to make sendmail work, owner /var/spool/mqueue-client/* rwk [19:18] run this app in total confinement [19:22] sarnold, does apparmor by default blacklist all things and whitelist certain things (as described in complain mode) ? [19:22] define default? [19:22] if you setup an empty profile, it will audit deny everything [19:23] depending on how you switch into it [19:23] patdk-wk, yeah say i put something in aa-complain mode. then ran it. then generated with logprof. at this moment in time, is apparmor going to generate an profile with everything blacklisted BUT my specifications whitelisted? [19:24] depends, it will make that profile, yes [19:24] Bae: yes; try this: cp /bin/bash /tmp ; echo "/tmp/bash { /tmp/bash rix, /bin/* rix, /usr/bin/* rix, }" | apparmor_parser --reload and then run /tmp/bash, see what happens ;) [19:24] but I'm not sure if it will override the calling or not [19:24] oh i see [19:24] damn [19:24] Bae: start with somethin gnice and small and see what happens :) [19:24] can't remember how the calling works, for switching, maintaining and adding, ... [19:25] as I always use, swapping :) [19:25] changehat :) [19:25] ok thanks guys. it answers all my questions this has been great :) [19:25] what those ux, ix, px, ... mean [19:26] heh. all i know is i like ix most [19:26] probably ixr. yep [19:26] ix if I remember right is, include restrictions and execute [19:26] inherit [19:26] "inherit" [19:26] close enough :) [19:26] yeh pal [19:27] "unconfined" [19:27] "profile exists" [19:32] hmm, kindof like wrapping your program into one of these? http://www.ostrichpillow.com/ [19:33] lol [21:36] sarnold: Thanks for the advice yesterday with my DNS resolving issue (adding nameserver 8.8.8.8) to /etc/resolv.conf. A little to add to that. I had configured the machine for a static address in /etc/network/interfaces which seems to be defined correctly. Today I checked /etc/resolv.conf after ping failed to resolve DNS, or course it was overwritten. So I started checking in /etc/resolvconf/resolv.conf.d/ as you suggested [21:37] Hopefully that wasn't cut off^ [21:38] That loong post is really directed at anyone. [21:39] Datz: the last thing that went through was "as you suggested" [21:40] as you suggested yesterday to have it added automatically. I noticed in /etc/resolvconf/resolv.conf.d/original there's a nameserver for the wrong gateway, the one for where I set the machine up instead of the one for the current location. This seems like a bug? [21:42] I edited it for the gateway where it currently is, but it really seems like it should reidentify and be overwritten [21:42] There could also be something wrong with my gateway/router [21:47] Datz: I think the "original" file is just one that resolvconf stuffs away in case you need it [21:48] Ah, I see. [21:49] Looks like everything else in /etc/resolvconf/resolv.conf.d/ is basically empty [21:50] Datz: yeah; the 'head' gets prepended to the /etc/resolv.conf that it generates [21:51] ah, interesting, so I could define a nameserver there? [21:51] Datz: yes, you could [21:52] Neat, I bet there's docs on it(i hope) I'll have a look. THanks [21:52] in fact, this is what I do on my local Ubuntu 14.04 laptop, which runs its own bind9 resolver, because I have a lot of different DNS rules [21:52] there isn't, really [21:52] ok, I can just add "nameserver 8.8.8.8" then? [21:52] basically, under the two commented out lines (with # at the beginning), put this: nameserver 127.0.2.1 [21:52] replace 127.0.2.1 accordingly [21:52] ah, gotcha, thanks [21:53] I can add one for redundancy also in the same format I suspect. [21:53] since "unreachable nameserver" takes an absolute eternity, you'll probably want to just fix whatever unreliability is in a nameserver :) [21:54] it's like six seconds or something outright intolerable [21:54] ha [21:55] head also warns that changes will be overwritten [21:55] there is documentation in /usr/share/doc/resolvconf/README.gz [21:55] yes, that's how the warning makes it into /etc/resolv.conf :) [21:55] ah [21:55] heh heh [21:56] On a completley unrelated note, I thought that ZFS was now the default FS in 16.04, but it looks like I'm on ext4. [21:56] seriously though you can reach the other side of the planet in about 250 ms or so. four trips around the world, one second, yeah alright.. [21:56] which one is faster NFS or samba? I cant see clear answers to that anywhere [21:56] ext4 is default, ZFS is available [21:56] I guess six seconds is long enough that it's so terrible you actually go investigate -why- it's broken [21:57] skylite: NFS has a smaller protocol overhead. [21:57] if it was one second you might not bother, or just think something else is broken.. [21:57] JanC: Ok thanks. [21:59] Datz: zfs on root currently takes some work [21:59] it's possible but I decided for myself that it was too much effort [21:59] once we've colonized Mars we'll have to increase that 6 sec though :) [22:00] sarnold: gotcha. I hadn't looked into it, I just noticed that's what was mentioned in ol reliable Wikipedia. [22:00] JanC: mars will doubtless run their own recursors :) [22:01] Datz: zfs is awesome stuff; here's a nice series of blog posts https://pthree.org/2012/12/04/zfs-administration-part-i-vdevs/ [22:01] Cool, I'll take a look. === ianorlin is now known as lynorina === lynorina is now known as lynornian === nacc is now known as Guest64822 === nacc_ is now known as nacc === JanC is now known as Guest59129 === JanC_ is now known as JanC