[02:16] hey anyone on to help with a iptables /aws s3 question? [02:16] http://serverfault.com/questions/807122/what-rules-am-i-missing-for-aws-s3-allow-via-iptables?noredirect=1#comment1024903_807122 [02:18] ndboost: are you confident your AWS security groups are configured correctly? [02:18] yes [02:18] without the iptables enabled i get straight in [02:18] without, i dont [02:19] er with i dont [02:19] aha [02:19] can you add relevant -jLOG or something entries to your iptables? [02:19] sure [02:20] one sec [02:21] viovim for whioch rulese? [02:25] hehe, I wsa thinking nearly everything :) [02:26] lol waht does LOG do? [02:26] tells me its invalid [02:26] I'm hoping it'd tell you what you still need to allow.. [02:26] iptables-restore v1.6.0: Bad ctstate "LOG,NEW,ESTABLISHED" [02:26] Error occurred at line: 36 [02:26] i think its DNS [02:27] hoping thats it [02:27] dns? [02:27] dns should have nothing to do with iptables [02:27] yeah cant resolve the DNS [02:27] so s3 bombs out [02:27] i noticed with the rules in place i cant dig some domains [02:27] but wget wworks for google.com [02:28] you have no rules to allow dns [02:28] that is a crazy ruleset [02:28] lol i know it is [02:28] who needs DNS :P [02:29] there's not even four billion IPs to remember, all shorter than 32 bits. piece of cake. :) [02:29] I totally don't understand the -A OUTPUT --sport -m conntrack rules [02:30] allowing 80/443/22 [02:30] web server running [02:30] those don't allow that [02:30] that is what the INPUT rules did [02:30] poh derp lol [02:31] i put those in late last night for a hope [02:31] lol [02:31] personally, I would highly recommend you don't do iptables raw like that [02:31] use ufw, shorewall, .... [02:31] to build a sane ruleset [02:33] actually, this is on aws [02:33] why bother with iptables at all? [02:33] the security groups do a much better job [02:33] no its not aws [02:33] s3 is [02:33] this is on DigitalOcean [02:33] :P [02:33] ah [02:34] you only need port 443 tcp for s3 [02:34] and working dns [02:35] and those fun, -A INPUT --sport xxxx rules are a huge security hole [02:35] ill use ufw lol [02:35] those two rules will let me completely bypass your whole firewall, except for mysql access [02:37] lol [02:37] patdk-lap: how's that work? [02:37] heh? [02:38] I make a tcp connection from my port 10011, and to any dport I want on his side [02:38] ufw is a lot easier [02:38] patdk-lap: but why 'except for mysql'? [02:38] it's excepted, except for port 3306 that is reject above [02:38] cause there is only one reject rule before it [02:38] thanks :) [02:41] that ruleset so wants to be stateful, but isn't [03:10] moving to ufw fixed my issyue [03:10] thanks [03:11] excellent :) [03:14] too many damn stupid rules lol [03:15] ufw was way simpler === Mobutils_ is now known as Mobutils [05:29] Hey guys [05:30] has anyone had problems installing/upgrading mariadb-server on ubuntu 16.04 lately? [05:30] I just upgraded my packages today and mariadb-server-10 "fails" to install, in that it still runs fine but the post-install script fails, so apt thinks its broken [05:31] and there also seems to be a dep-error with mariadb-server and mariadb-server-10 === Tarius- is now known as Tarius [06:56] northcode: please file bugs, the community maintainer for mariadb cares :) [07:11] jamespage: hi, the current openvswitch upload is blocked by a fail in the neutron autopkgtest which can't be due to the changes that got uploaded [07:11] jamespage: yesterday coreycb mentioned a timing based issue on autopkgtests which could be just that [07:12] jamespage: coreycb: the log is this https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-yakkety/yakkety/s390x/n/neutron/20161006_055450@/log.gz [07:12] jamespage: coreycb: I already retried it once, but I don't want to buzz the retry button over and over [07:12] jamespage: coreycb: could one of you confirm this is the same issue and in case yes let me know how you resolved it on your end? [07:47] cpaelzer, did I just see ovs pass to updates? [07:52] jamespage: checking ... [07:53] jamespage: well yes, somthing/somebody changed it to ignored failure [07:53] cpaelzer, hmm [07:53] it is still visible in http://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html [07:53] tbh that's not one that's raced in the past [07:53] so a bit worried about that [07:53] that is why I'm asking around [07:54] I downloaded the artifacts but they are totally useless [07:54] a full journalctl output as artifact might have helped [07:55] jamespage: but you must admit that changing a readme and a conffile comment can't trigger a failure :-) [07:55] jamespage: so I wonder what caused this now [07:57] cpaelzer, somehting s390x ish [07:58] jamespage: I'll run it on my lpar just to see if I could find more of its status with a shell-fail on the autopkgtest [07:58] jamespage: any more steps that would help reestablishing a good feeling? [07:59] * cpaelzer urges lpar down? ... [08:00] * cpaelzer realizes that all the recabling killed the vpn dialin *facepalm* [08:08] cpaelzer, don't worry to much [08:09] now it is already running :-) [08:11] well my adt does seem to need some special care to take off, so I stop worrying a bit in case that turns out to be too much to get it running [11:41] jamespage, cpaelzer: the nova autopkgtest s390 error that was surfacing on s390x is fixed by adding sqlite connection strings to nova.conf. maybe it's a similar issue for neutron. [11:46] coreycb, neutron uses mysql for autopkgtest so not sure [11:47] coreycb, anyway - I just tripped on a new neutron problem [11:49] coreycb, https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1630968 [11:49] Launchpad bug 1630968 in neutron (Ubuntu) "neutron-openvswitch-agent - error on startup" [Undecided,New] [11:50] I failed to recreate on s390 driving to autopkg issues with pitti [11:50] coreycb: what did you use to recreate yesterday instead? [11:52] cpaelzer, I used an s390x instance and noticed the service was flopping up and down due to the config error [11:52] s/to/two/ [11:52] coreycb: ah ok, so you just ran it as-is and not within a adt environment? [11:52] cpaelzer, I've also been using this to test autopkgtest fixes in PPAs: https://bileto.ubuntu.com [11:53] I don't have the bileto superpower yet, at least I didn't a few weeks ago [11:54] cpaelzer, do you have upload rights? [11:54] coreycb: only server-deve [11:54] cpaelzer, I wonder if xnox can change the perms to allow you to use it [11:56] yo [11:57] xnox, any chance per package uploaders can get perms to use bilto? [11:57] jamespage, coreycb, cpaelzer: what I have noticed is that upon package installation, the following happens: [11:57] postinst running [11:57] -> service starting, crashing, restarting [11:57] dpkg ends [11:57] check that service is running fails [11:58] -> service manages to start without crashing [11:58] autopkgtest has failed by now [11:58] -> service running fine [11:59] and i changed autopkgtests to loop with a sleep/wait/timeout waiting for things to /eventually/ come up fine. However, imho, dpkg postinst should not return until service is started. [11:59] (as in permamemently fails, or after restarts manages to start fully) [11:59] * xnox wishes openstack service used systemd notify protocol to fully state "yeah, READY=1 for realz now" [12:00] xnox, thanks for the insight, I was curious more about bileto permissions for per package uploaders. :) [12:00] coreycb, right. I am core-dev and I can do anything in bileto. No idea about others. I think anybody can create ticket, but e.g. a core-dev is still needed if you want to upload raw source packages, rather than use the crazy "release from upstream branch thing" [12:01] coreycb, i'm happy to sponsor any source packages into biletos targetting the archive for you. [12:01] jamespage, coreycb - looking at the bug, note that s390x autopkgtests are done in an LXD container, thus one cannot modprobe packages =/ [12:02] xnox, interesting.. [12:02] xnox, I'm hitting a new nova failure with kvm, I wonder if it's similar and can't modprobe [12:02] on armh ^ [12:03] as in one should probably use $ ! systemd-detect-virt --container && exit 0 [12:03] coreycb, i believe autopkgtest runners on armhf & s390x are LXD containers, everything else is KVM virtual machines, and we have no infra for powerpc (old 32 bit big endian) [12:04] xnox, ok that explains one of my failures! thanks. [12:05] xnox, any idea who's in charge of acls for bileto.ubuntu.com? it'd be useful if per package uploaders like cpaelzer could get full access to debug failures and test fixes in PPAS. [12:06] coreycb, talk to or or on #ubuntu-devel or some such [12:06] xnox, will do, thanks [12:20] coreycb, jamespage: hello - fyi, neutron/linuxbridge is still broken since last time I reported to you, we're using latest newton, you can see logs if you want to look https://review.openstack.org/#/c/382661/ [12:23] EmilienM, it would appear to be broken in a different way now [12:23] EmilienM, hmm [12:24] coreycb: thanks for kicking that discussion [12:49] Hello, I'm currently trying to manage Windows accounts via Ubuntu Server. What are my options here ? Do I have to go with Samba and an AD or is there any other alternatives ? Thanks ! [12:54] You mean you want to manage Windows desktops without a Windows server? Or something else? [12:55] Absolutely ! [12:56] Something similar to Novell Groupewise. Is this even possible ? [12:56] I used to do this kind of thing for a living. IMHO, it stopped being worth it. I would consider using (and managing and supporting) a real Windows server as part of the cost of running Windows desktops and do it that way. [12:57] Samba is the only other thing that I know about that can do it. It's an excellent project and has a very high quality codebase. [12:57] But for actually running a domain, I'm not sure it's worth it any more. Certainly you'll find it much more of a struggle, and with loss of functionality, compared to just using a Windows server. [12:59] Thank you for your answer, that's what I feared seeing all the abandoned projects. [13:01] I'm really new to all this but even file sharing with Samba looks like a pain [13:05] Plain file sharing is fine with Samba once auth is sorted out. [13:06] The last time I looked (it's been a while), Samba still integrated with a Windows domain really well, eg. as a domain member, file sharing, even ACLs. [13:07] There is an impedence mismatch of course, which Samba tackles admirably. But it does necessitate quite some understanding. It is well documented, but expect to do a lot of reading. [13:08] (understanding of both Unix and Windows models of things) [13:08] <_Wise_> hi * [13:08] Indeed ! I think I understimated that part ;) [13:09] <_Wise_> I have an armada of Ubuntu Server 14.04 LTS instantiated on Azure, I thought about upgrading them to 16.04 LTS next year [13:09] <_Wise_> but when I look at this page: https://assets.ubuntu.com/v1/65d114f8-release-chart-desktop.png?w=800 [13:09] <_Wise_> it turns out that 14.04 LTS *HARDWARE* updates stops soon [13:09] <_Wise_> am I in danger ? === catalase- is now known as catalase [13:10] _Wise_: where was that linked from please, so I have some context? [13:10] <_Wise_> rbasak: from there: http://www.ubuntu.com/info/release-end-of-life [13:11] What they mean is new kernels, essentially (X.org stack doesn't matter for server). [13:11] <_Wise_> for me it's quite obscure what Hardware Update is [13:13] See https://wiki.ubuntu.com/Kernel/LTSEnablementStack for details, but for cloud instances on Azure, it won't matter. [13:14] So, ubuntu 16.04 LTS comes with gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) , I have a package that ewquires 4.7 to compile. How backward compatiable is gcc5 ? [13:18] next question would it be possible to install the gcc 4.7 along side 5.0 if I need ? [13:19] Ussat: how is the requirement defined? Exactly 4.7, or 4.7 or higher? [13:19] To build bcl2fastq2 Conversion Software v2.17, you need the following software. [13:19] Versions listed are tested and supported; newer versions are untested. [13:19] } gcc 4.7 (with support for c++11) [13:19] I wish was higher.... [13:20] does it actually say it will not work with 5.0 [13:20] No, it does not [13:20] ^ that (ninja'd) [13:20] Ussat: 5.0 might work, I would suggest starting with that first [13:20] it says untested [13:20] before trying to coinstall multiple compilers [13:20] have you tried it with 5 ? [13:20] not yet [13:21] I might just spin up a test VM and test this shit [13:24] I just hate the way these docs are written [13:24] my day just got more complicated [13:24] please don't swear [13:24] there isn't a need for it [13:24] you'll find it a lower risk to build with 5 than maintain multiple compilers and linker objects on the same box [13:25] Oh I totally agree [13:25] more so when the chances are there is not a 4.7 gcc install package for your ubuntu version [13:25] so no idea where you expect to get it [13:25] I =am waiting for a tech contact at the company to call me back to ask them some questions [13:25] why not just try it ? [13:25] There is a gcc4.7 actually [13:25] see what happens [13:25] ahhh so where is 5 coming from then ? [13:26] on my ubuntu system, but I can get a 4.7 for it also, was just wondering if I could side by side install, just exploring options [13:26] I like to lay out all my options before jumping into a test [13:27] how can you get 4.7 for it [13:27] what version of ubuntu is this ? [13:28] 16.04 LTS [13:29] <_Wise_> rbasak: thanks [13:29] is there a 4.7 package in the 16.04 repo ? [13:29] yes [13:30] Like I said, I just like to lay out all my options [13:30] before I decide which to test [13:31] EmilienM, I see a lot of ACCESS_REFUSED amqp errors in your logs, do you also get those with ovs? [13:32] coreycb: no [13:34] coreycb: its out [13:34] zul, cool want to get started? let's not release neutron quite yet. [13:35] coreycb: sure [13:35] zul, did you bump tooz yesterday? [13:35] coreycb: i didnt...its not bumped in debian [13:36] zul, yeah they're mostly behind us. I think we should try to get to 1.43.0 since that's what upper constraints is at. [13:37] coreycb: ack... [13:41] EmilienM, seems that your rmq logs also have invalid credentials errors: http://logs.openstack.org/61/382661/1/check/gate-puppet-openstack-integration-4-scenario003-tempest-ubuntu-xenial/1f52421/logs/rabbitmq/rabbit@ubuntu-xenial-osic-cloud1-s3700-4770556.txt.gz [13:42] not sure if that's a red herring or not [13:45] coreycb: taking aodh [13:46] zul, also hold off on nova. I'm sorting out dep8 failures. [13:46] yes master [13:49] zul, taking cinder [13:59] zul, taking barbican [14:00] is senderid needed to be configure to send to hotmail? I've got my messages bouncing from hotmail domain [14:17] coreycb: aodh uploaded [14:17] coreycb: taking glance [14:19] zul, ack, cinder and barbican uploaded. want me to grab tooz? [14:20] coreycb:yeah go ahead [14:20] zul, on it [14:25] frickler, you should get neutron-dynamic-routing for newton [14:25] frickler, zigo packaged it for Debian (not in freeze) so we should be able to sync it [14:25] thanks zigo ;) [14:29] jamespage: yep, I'm already testing it, thanks for the headsup. sometimes it is useful to be upstream and operator at the same time ;) [14:29] frickler, lol [14:29] frickler, ppa:james-page/newton [14:34] coreycb: glance uploaded [14:35] coreycb: taking heat...not literally [14:36] zul, hah, what a comedian [14:38] zul, taking designate [14:45] zul, tooz and designate uploaded. taking horizon. [14:59] zul, horizon uploaded, taking keystone [15:00] coreycb: trying to speed myself up [15:03] coreycb: heat uploaded [15:04] coreycb: getting manila [15:06] zul, ack, getting networking-ovn. keystone uploaded. [15:13] jamespage: I had built my own already, just tested on an allinone deployment, works pretty well. [15:28] coreycb:manila uploaded [15:29] coreycb: i think we should skip neturon-* since neutron isnt uploaded yet [15:29] zul, agreed [15:30] zul, networking-ovn uploaded [15:30] coreycb: grabbing trove [15:47] coreycb: trove uploaded [16:03] coreycb: do you want to handle nova and neutron? [16:08] zul, sure, thanks for the help! === alexisb is now known as alexisb-afk === degorenko is now known as _degorenko|afk [18:02] Ubuntu 16.01 My printer is only printing magenta and black. Any ideas? HP 1010 inkjet. hp-toolbox reports ink levels are OK. [18:08] apb1963: I guess u mean 16.04? I would advice u to go to the "ubuntu" channel [18:25] is the network install of ubuntu 12.04 broken? [18:26] it refuses to continue after i thosen the repository [18:33] ws2k3: what error messages do you get? [18:34] ws2k3: i don't think it's 'known broken' [18:34] apb1963: some advice on debugging printers is at https://wiki.ubuntu.com/DebuggingPrintingProblems [18:34] sarnold, ty [18:40] sarnold, sadly... there's only 1 mention of color and it's not the problem I have. I'm tempted to go get some more ink since it's low to the eye even though it reports OK. But I hate to spend the money if I'm just going to get more of the same behavior :/ [18:41] apb1963: i take it the printer doesn't have a non-OS driven test page mode? [18:43] be aware that it's easy to spend more on ink debugging an hp printer than it costs to buy a new printer froma different vendor [18:47] heh [18:47] nacc, I didn't think to look... let me check. [18:51] nacc no error message it just hangs after chosing the repository [19:16] are private chats logged in freenode? And are they publicly visible? [19:18] torak: If you mean private messages, no. If you mean channels, then its on a channel by channel basis, but its not something that freenode itself provides. [19:18] !logs [19:18] Official channel logs can be found at https://irclogs.ubuntu.com/ . LoCo channels are now logged there too. Meeting logs from meetingology at http://ubottu.com/meetingology/logs/ [19:18] freenode does not maintain logs of private chats, but you should be aware that contents of chats are available unencrypted in ircd memory, so if you don't trust the network operators or server admins then you should use another layer like OTR or gpg on top to provide end-to-end encryption [19:18] torak: if you need more info, ask #freenode [19:20] sarnold: you mean freenode admins by server admins right? Not channel admins? [19:20] Pici: thank you i will check that out. === alexisb-afk is now known as alexisb [19:28] Can anyone here explain the reasoning behind setting VHOST_NET_ENABLED=0 in the default kvm virtualization settings? This article says it's a bad default setting, but I'm assuming ubuntu-server devs have a reason for setting it that way. https://blog.codecentric.de/en/2014/09/openstack-crime-story-solved-tcpdump-sysdig-iostat-episode-3/ [19:30] torak: correct, server admins [19:44] jgrimm: ^ [19:46] hi. i have a 16.04 computer that includes an nfs mount in fstab. sometimes, the network sucks, and during boot, the share fails to mount. there is a long, long, timeout when this happens. how can i change this timeout? [19:50] rbasak: rharper, cpaelzer possibly [20:24] hi all :) === rcj` is now known as rcj === rcj is now known as Guest46240 === Guest46240 is now known as rcj [20:49] Is Conjure-up the preferred method for deploying single node openstack? [20:53] shamurai: yes [20:54] stokachu: Thanks, so many different methods... [20:55] shamurai: well it's conjure-up for xenial and above from here on out [20:55] shamurai: trusty is still openstack-installer [20:55] shamurai: and trusty only allows installing autopilot [20:56] stokachu: Hardware requirements are still a bit steep. Does conjure-up allow for deploying just swift? [20:56] shamurai: no [20:56] you are deploying OpenStack to a single machine, the hardware requirements are pretty reasonable for that [20:58] stokachu: Well I'm really just trying to test swift, was thinking about using it with Backup Exec S3 Cloud Connector and the swift3 api [20:59] shamurai: feel free to fork and modify https://github.com/conjure-up/spells/tree/master/openstack-novalxd [20:59] you can update the bundle and deploy with conjure-up [21:02] stokachu: thanks [21:04] hi all [21:05] I have a couple of questions about openstack on ubuntu [21:05] I have put them in a askubuntu question [21:05] http://askubuntu.com/questions/832736/openstack-with-autopilot-some-networking-clear-up [21:05] PCdude: add the autopilot tag so the landscape guys will see it [21:07] PCdude: sorry openstack-autopilot [21:07] stokachu: done [21:08] PCdude: to answer your first question you can do 'JUJU_BOOTSTRAP_TO=host.maas sudo -E openstack-install' [21:10] stokachu: thanks awesome, I think the best way is to add an answer and slowly add the pieces in there when all are answered? [21:17] I am setting an ubuntu-server and I want to do some disk modifications before the partitioner starts up. Is there a way to use parted from the console that activates if I press ctrl+alt+f2? [21:40] blizzow: what kind of modifications? [21:51] blizzow: anna-install parted-udeb