[00:00] ubuntu_: that sounds a bit like LTSP [00:00] whats LTSP [00:01] linux terminal server project http://www.ltsp.org/ [00:01] O is that going to support vnc or rdp or both [00:02] because thats kind of cool [00:03] a quick skim of http://wiki.ltsp.org/wiki/Concepts gives me the impression that it's native X11 [00:08] Is there any comprenehsive guide on using kvm/qemu/libvirt on ubuntu. I specifically use virsh to start stop and edit all my virtual machines, I suppose that is all that is really needed but just wondering if there are any additional commands that do other usefull stuff, like adding a new disk while the vm is running, etc. [00:16] Also curious for GPT partitioning what is the prefered file system for a linux partition is it ext4 or is it like LVM or some virtual level file system that one can cuse [00:17] I guess what i am getting at is the best filesystem for large data centers with expandable racks or Loading more HDD drives / expansions [00:18] I'm a fan of ext4 for OS storage and openzfs for your data [00:18] GPT covers pretty much infinity size partitions but for a file system on that partition kind of wondering what linux file system [00:18] some people do like to pu their ext4 filesystems on top of lvm but i'm too lazy to figure that out [00:18] zfs and ufs is more for *bsd file systems [00:19] but ya i guess you could uses the zfs for linux [00:19] i just format them as ext4 [00:19] and mount them [00:19] I am wondering what linux file system is good for expansion of data like a server in the data center that one can add HDD [00:19] zfs [00:20] zfs on top of ext4 or just zfs on the bare partition [00:20] zfs on bare drives [00:20] don't partition the drives, the zpool tool takes care of everything [00:20] gotcha for windows ntfs supports zfs type expansion? [00:21] or is windows using a different file system [00:21] I haven't used ntfs in 16 years, I suspect it's changed a bit :) [00:21] you can extend a partition across drives in windows [00:21] otherwise, raid [00:21] for data centers i know ntfs is enough for any small business or most HDD drive but more interesting in the data center [00:22] in my datacenter, I put in a drive, format it as ext4, mount it in whatever folder I want [00:22] depends on what your doing [00:22] Yes but can you extend the file system accrosss drives or do you have to reformat the ntfs after you expand the drive [00:23] when your spreading it over more then one drive [00:23] in windows: just initilze the drive, and extend the partition onto it [00:23] It would have to have some LVM virtual software on top of the bare file system i would imagine [00:23] windows has its own stuff, not compatible with linux [00:24] otherthan just a ntfs partition [00:24] O ok ya never tried it only expanded and shrink HDD partitions on the same HDD drive [00:24] curious is there any drive that can go do both zfs and ntfs [00:25] zfs is a filesystem [00:25] drives just hold bits, you can put whatever filesystem you want on them [00:25] I guess would be nice to know that a driver is out there for windows and mac to support zfs [00:25] I understand the OS X openzfs port has been revived. I haven't heard of anyone working on a windows openzfs port. [00:25] I don't know and I doubt it. so count windows out. if the drive goes into a linux server is stays in a linux server [00:26] Because how else if you uses zfs and now not have linux anymore are you going to beable to get the data off the zfs you would have to have a means to install a zfs driver .sys .dll onto the windows machine [00:26] boot into a linux live cd [00:27] you can also run one of the illumos-derived distributions, such as smartos or omnios [00:27] though linux has ntfs don't you think windows should have zfs driver made? [00:28] dunno. I worry about linux and let microsoft worry about windows. [00:28] if they think their users would like zfs they're free to try to port it [00:29] But you think since file on a file system is really what people life for when it comes to computers you think you want portablity between major filesystems [00:30] without storage or files/filesystem you just got computer memory which is nice but then you don't have persistant storage or any kind of information systems other then at an instance in memory [00:37] seems like there used to be a read-only ZFS for Windows, but it can't even read recent versions [00:38] there was a fuse-based zfs a while ago but I think it's .. quite stale [00:39] I certainly wouldn't trust any data I cared about to fuse [00:39] dokan-based [00:39] so the idea of zfs-fuse strikes me as funny :) [00:39] the one I saw [00:40] fuse is useful to rescue data off a disk if there is no other driver though [00:40] yeah [00:40] or a convience vs sftp or scp all the time :) [00:40] convenience [00:43] I rescued data from disks that came out of a ReadyNAS NV+ with it some time ago (apparently they use or used a patched ext3 in some of their NAS systems, which can be read with one of the fuse-based implementations of ext2/3/4) [00:44] that's ... odd :) [00:44] hooray for the patched versions being available though [00:44] that'd be a frustrating way to lose data if it were stuck in their silo [00:48] How do I find my LDAP URL and port (preferably via phpLDAPadmin?) [00:49] sarnold: you can mount those filesystems in Ubuntu with the implementation in 'fuseext2' (there is info about how to do it on the internet) [00:50] JanC: neat [00:51] Nevermind, I think I have it figured out. [01:20] How do I configure phpldapadmin to ONLY be available over localhost> [01:24] (Solved that too. Sorry!) [01:55] Hi [03:06] There are some expert in firewall(ufw) ubuntu?? [03:06] how i create a note? to share here¿? [03:07] MASM: the pastebinit package has a pastebinit tool that makes it easy to create and share links to pastebin contents [03:08] thanks, and how to put before name and then tex¿? it is automatic? [03:08] sarnold: <-----? [03:09] MASM: most irc clients let you type a few characters of the nickname and then hit tab to complete the rest of it [03:09] I just type m and get MASM: automatically :) [03:09] thanks, i'm new in this... [03:10] welcome aboard :) [03:11] sarnold: if i want to write in pastebin, code like terminal, what option from "Syntax Highlighting" i need to choose ? [03:12] MASM: probably you can keep it 'plain text' or something similar; the syntax highlighting is if you're pasting part of a program [03:13] MASM: but shell interactions don't usually improve with syntax highlighting :) [03:20] sarnold: thanks a lot [03:21] There are a limit for connection to a socket in ubuntu server ???? [03:23] there are many limits [03:24] you have to have the right privileges to bind to a tcp or udp port <1024 ; there are a maximum number of file descriptors available to a process ; uhhh, I'm sure there's more, but that's all I could think of quickly :) [03:40] i have ubuntu server, i config ufw to allow some range of ports, but in syslog, appear the tag "[UFW BLOCK]" ipsource, ipserver, portsource, portdestiny, and i allow that port, i think, maybe it would be the limit of socket connection with tcp [03:44] MASM: if it has a tag like that, then it was probably blocked by ufw [03:44] you know about ufw?, [03:45] a little [03:45] I'm sadly vastly uneducated about linux firewalling .. twenty years ago I was awesome at it but then everything changed :) [03:46] sarnold: Everything Changed When The Fire Nation Attacked === _degorenko|afk is now known as degorenko === iberezovskiy|off is now known as iberezovskiy [10:18] can anyone shed light on why my iptables rules werent loaded after a reboot? i had been running my ass wide open for a few days.. had to do iptables-restore and it loaded the rules from /etc/network/iptables.up.rules === Shoe16|Phone is now known as Shoe16 === tinwood is now known as tinwood-lunch === tinwood-lunch is now known as tinwood [16:01] i need help with ubuntu server with ufw and iptables e.e [16:03] !help | MASM [16:03] MASM: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience [16:05] ubottu: Thanks for the tips, i am new in this chat [16:05] MASM: I am only a bot, please don't think I'm intelligent :) [16:07] MASM: What is your actual problem? [16:09] beffore all: ubuntu-server, with services apache,ssh, and it receive information from gps trackers, that reports every time, and are constantly, [16:10] I have a problem with ufw, and connections tcp incoming, I allowed port 80, 22, 12300:12400/tcp and udp, the problem is when i see tail -f /var/log/syslogs | grep "UFW BLOCK", i saw a ips blocked that ips are destiny to port 80 and 12363 <- this is in range that i allow, and i see in iptables, that are a limit of 3/min, i changed this to 1/s , i think i solved this, but not, in this morning i saw some ips blocked in port 80 [16:11] http://paste.ubuntu.com/21287991/ [16:14] MASM: What does nmap say? [16:14] And jeez what a mess does ufw make of iptable rules. [16:15] nmap from local or from external machine? [16:15] External [16:15] ok wait a minut [16:21] MASM: those drops might have been from something else. eg, when an existing or new connection is coming in at the time you do 'sudo ufw reload' [16:23] MASM: your policy looks fine. I suggest tailing the log while trying to make a new connection. it should be fine. I might also point out 'sudo ufw show raw' which gives a full dump of everything [16:24] also, not sure how this is a 'mess'. it is actually quite organized so it won't stomp on other applications that add rules [16:27] nmap from linux mint : http://paste.ubuntu.com/21289724/ [16:31] Jul 28 10:31:05 u2139 kernel: [73766.1808] [UFW BLOCK] IN=eth0 OUT= MAC=08:00 SRC=187.210.150.xx DST=74.208.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=45020 DF PROTO=TCP SPT=46420 DPT=80 WINDOW=1414 RES=0x00 ACK FIN URGP=0 [16:32] i still get some messages from syslog, with this rules [16:35] if i undertend this, all are right, and i only need to wait for the gps reconnect again?, [16:40] MASM: nmap is sending an invalid packet. See: 'ACK FIN' is not valid. 'SYN ACK' or 'FIN' are [16:41] MASM: and ufw blocks invalid packets by default: [16:41] # drop INVALID packets (logs these in loglevel medium and higher) [16:41] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny [16:41] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP [16:42] MASM: use your browser to reach the destination on port 80 and you shouldn't see a denial [16:43] yes the web site show perfectly [16:44] jdstrand: you say that that packets that ufw block are invalids? [16:44] MASM: tools like nmap are super flexible and send weird stuff to see if they can illicit information out of the firewall, sometimes for OS fingerprinting and the like. the denial is expected and fine. your rules are fine [16:45] MASM: that log entry you gave shows 'ACK FIN' for the tcp flags. that is an invalid combination, yes [16:48] s/illicit/elicit/ (not sure why I typoed that :) [16:50] jdstrand: and this logs are normal, this have "ACK" only [16:50] http://paste.ubuntu.com/21292299/ [16:52] * jdstrand notes ACK and FIN can be legitimate under certain circumstances as part of connection tracking, but my point was an nmap-generated packet the sends an ACK/FIN is snot [16:52] is not [16:53] MASM: how are you generating those? with nmap? [16:53] this seems like possibly a problem with connection tracking if not [16:55] that are reals gps tracking [16:56] MASM: what is the output of: sudo /usr/share/ufw/check-requirements (feel free to paste it to paste.ubuntu.com) [16:58] jdstrand: this is the output - http://paste.ubuntu.com/21293215/ [16:59] MASM: no, you need to run: sudo /usr/share/ufw/check-requirements [16:59] ha sorry jejjeej [16:59] MASM: on the system that has the firewall [17:00] jdstrand: http://paste.ubuntu.com/21293437/ [17:01] ok, that's good. your kernel has everything it needs [17:02] MASM: can you paste the output of 'sudo ufw show raw'? [17:03] ok [17:04] jdstrand: http://paste.ubuntu.com/21293970/ [17:07] MASM: ok, I don't see any rules that would interfere with ufw. your firewall looks fine. this seems like a problem with connection tracking. I suggest googling: netfilter connection tracking dropped packets (the first entry is good) [17:08] MASM: that said, depending on how you are reloading the firewall, you can get invalid packets since they aren't part of an established connection. those should start to die down very soon after the firewall/machine restart though [17:09] smoser: do you have a reference to ivoks' ntpdate bug please? I can't find any that he reported. [17:10] MASM: if they don't, look at the connection tracking stuff [17:11] MASM: one final question: did you modify /etc/ufw/*rules by hand? I'm seeing very few packets counted in ufw-user-input chain [17:11] rbasak, will look. [17:11] MASM: ie, an excerpt from your last paste: http://paste.ubuntu.com/21294738/ [17:11] i only add directly iptables rules and ufw, and not in files, [17:12] MASM: what do you mean by 'i only add directly iptables rules'? [17:12] MASM: you are adding rules outside of ufw? [17:12] but i reset all, and put rules via ufw like allow 200, 80 and range ports 12300:12400 [17:13] MASM: what version of Ubuntu is this on? [17:13] i did but i reset iptables and ufw, and begin again only with allow that ports that i mentioned [17:13] rbasak, its a private bug. [17:13] 14.04 stable [17:14] and ufw 0.34~rc-0ubuntu2 [17:14] MASM: can you paste the output of: sudo sha256sum /etc/ufw/* [17:15] jdstrand: i reset ufw a lot, jejejej http://paste.ubuntu.com/21295261/ [17:17] MASM: can you paste /etc/ufw/ufw.conf ? [17:17] jdstrand: http://paste.ubuntu.com/21295548/ [17:20] is there any way to give ssh process the maximum priority over the available bandwidth? [17:20] ok, all your files look fine. please run this series of commands: [17:20] sudo ufw disable [17:20] sudo /lib/ufw/ufw-init flush-all [17:20] sudo ufw enable [17:21] MASM: if there are errors with the above ^, please paste them [17:21] i didn't get any errors, it was ok [17:21] ok, then everything should be fine [17:22] tail the log and you'll hopefully not see any more logged denials after now (check the timestamps! :) [17:23] MASM: ^ if you do, check the connection tracking stuff I mentioned [17:30] I'm cheking my syslog, and i get some block ports, http://paste.ubuntu.com/21297086/ [17:42] MASM: many of those aren't in the range you specified (it would be easiest if you pasted only the new ones). look into the search on the connection tracking and see if that is affecting you. another thing to investigate is whatever is running on 12363 if it is perhaps sending weird packets. tcpdump/wireshark/etc would help there [17:52] jdstrand: I have a nodejs runned with "forever start myscript.js" this open a specific ports that gps tracker, connect to port via tcp or udp and they (gps) give to server the information about imei,status,position,etc, [17:57] if it isn't connection tracking related, then I think you need to look more deeply at the packets. alternatively, you could add rules to /etc/ufw/before[6].rules that don't care about connection tracking === iberezovskiy is now known as iberezovskiy|off === degorenko is now known as _degorenko|afk === ashleyd is now known as ashd === madsa_ is now known as madsa === JanC is now known as Guest85214 === JanC_ is now known as JanC [21:13] I'm trying to remove ACL's that I accidently placed on a folder from a Windows machine. I'm trying to use setfacl by typing 'setfacl -x /folder/path' but it responds with "setfacl: Option -x: Invalid argument near character 1" [21:14] I don't see what other arguments I would need besides the folder path === octavius is now known as octavius_ === octavius_ is now known as octavius [21:59] Shambles: it's expecting an ACL spec for -x [21:59] from the man page: [21:59] Removing a named group entry from a file's ACL [21:59] setfacl -x g:staff file [21:59] you're not giving it an ACL to 'clean' and it expects one [21:59] s/an ACL/an ACL pattern or spec/ [22:01] Ah ok thanks teward. Was just expecting it to purge all ACLs and leave basic permissions [22:02] Shambles: yeah, apparently not (if you look at the man page you'll see a little more about the -x argument flag, and see what it expects. [22:03] Shambles: -x without anything doesn't appear to be the equivalent of 'flushing out the acl' :P [22:03] would -b do what you want? [22:03] i was about to say that [22:03] stop reading my brain [22:03] or maybe -k [22:03] Shambles: you can try -b [22:03] tough to tell :) [22:04] sarnold: erm [22:04] Shambles: do you want to leave the basic UNIX style permissions in place (owner, group, other)? [22:04] 'cause -k removes the default, and not the extended. -b removes the extended, and not the defaults [22:04] combine, and ACL is nuked, maybe [22:04] sarnold: I think -b is what they need... [22:04] or want... [22:05] -b, --remove-all [22:05] Remove all extended ACL entries. The base ACL entries of the owner, [22:05] group and others are retained. [22:05] i should *really* stop pasting here [22:05] *goes to disable paste* [22:29] I have a bit of a puzzle. On a leased server, my "root" domain name points to /public_html, as it should. However, I want to put all of the *pages* that appear on that site in a separate folder. I've already got a rather complex .htaccess... [22:30] ...actually, I just answered my own question. [23:22] Is it possible to configure an .htaccess to treat contents of a subfolder as if they were in the root folder?