=== Monthrect is now known as Piper-Off | ||
nacc | jgrimm: https://bazaar.launchpad.net/~ubuntu-release/britney/hints-ubuntu/view/head:/pitti#L164 | 02:15 |
---|---|---|
nacc | jgrimm: i don't actually know the context of that file, beyond I believe it's what the AA's use | 02:16 |
adrian_1908 | On a fresh server installation with OpenSSH selected, do the host keys in /etc/ssh already exist, or do they have to be created manually by the admin? | 02:41 |
sarnold | I believe they are created at the first boot | 02:42 |
nacc | or whenever sshd first runs? | 02:48 |
sarnold | yeah | 02:49 |
adrian_1908 | i haven't found a clear answer online, but i think most texts hint at what you're suggesting. | 02:55 |
lordievader | Good morning. | 06:56 |
freakynl | Hi, how do I add Ubuntu Trusty to the list on launchpad here? https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1605494 | 09:05 |
ubottu | Launchpad bug 1605494 in linux (Ubuntu Yakkety) "vmxnet3 LRO IPv6 performance issues (stalling TCP)" [Undecided,Fix released] | 09:05 |
=== tinwood is now known as tinwood_swap | ||
=== tekku is now known as tekk | ||
ronator | Hi. I am learning systemd unit files. I have a 'stupid' php process I need to stop. Only way is with kill. On CMD it works really fast: "kill -15 $(pidof php)". But if I do this with systemctl (ExecStop) it takes almost exactly 1:30 minutes to stop/kill the process. Is that a systemd problem? What am I doing wrong? | 11:17 |
ronator | Any systemd pro may help me? This is the (edited) service unit file http://paste.ubuntu.com/24151186/ ; I checked with "watch + ps" that the service is really stopping only after 90 seconds (so its not systemd waiting for a timeout or so I guess) | 11:26 |
ronator | I may have found the error: -> Mar 10 12:22:48 HOSTNAME systemd[1]: someproxy.service: State 'stop-sigterm' timed out. Killing. | 11:30 |
Doow | What exactly is it that triggers apache on boot (16.10)? I see no indications in the logs of it even trying to start on my server. | 11:32 |
ronator | there shoud be a apache.service file somewhere on your system - or not (/lib/systemd or /etc/systemd) | 11:35 |
ronator | or apache2.service | 11:35 |
ronator | "service" now also uses systemctl so what does "sude service apache status" or similiar say? | 11:36 |
Doow | ronator, is that what actually triggers it? because "sudo systemctl enable apache2.service" says that it can't be enabled via systemd (gimme a sec and I'll pastebin it) | 11:36 |
ronator | I think I read that apache still does not offer unit files for systemd ... | 11:37 |
ronator | no sure | 11:37 |
Doow | http://paste.ubuntu.com/24151223/ | 11:37 |
ronator | well you could get a basic apache systemd unit file and drop it into /etc/systemd/system - or you could use nginx (different syntax but some like it more than apache - and it has systemd unit files) | 11:39 |
ronator | Doow: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798430 | 11:39 |
ubottu | Debian bug 798430 in apache2 "apache2: please add systemd service file" [Wishlist,Fixed] | 11:39 |
ronator | exactly | 11:40 |
Doow | ronator, it *can* start automatically, it's just that something went broke on my system | 11:41 |
Doow | and I can't figure out what | 11:41 |
ronator | check /var/log/syslog? | 11:41 |
ronator | and dmesg - if something went broke you need to find out what - or windows-style re-install | 11:42 |
Doow | nothing, I can't find any trace of it in any logs (which is I wanted to know what exactly is supposed to trigger it) | 11:42 |
ronator | well from my understanding it cant start automatically because no systemd unit file is there and system cant for some reason create it on the fly | 11:42 |
Doow | I'm not even sure it tries to start | 11:43 |
ronator | did you upgrade from 15.10 or 14.10 or so? | 11:43 |
Doow | no, clean install | 11:43 |
ronator | that's a shame, apache ... | 11:43 |
ronator | clean install should not have messed up your system ;-) | 11:44 |
Doow | I of course have done things on the system, but after the install =) | 11:44 |
ronator | so i think it is still the case of the missing systemd file | 11:45 |
ronator | suggestion: quick install of nginx, see how that behaves on your system | 11:45 |
ronator | if that behaves better, blame apache | 11:45 |
Doow | that isn't really helpful though I'm trying to solve the problem, not find someone/something to blame =P | 11:46 |
ronator | well but to solve it you must find the reason that is to blame | 11:46 |
ronator | and i guess it is a huge problem that apache ships without systemd file (if that is still true) | 11:47 |
ronator | I can only tell you, I assume it is missing system files for apache. so with nginx you could somehow prove that (if nginx has no issues). And if yiou then decide to try a systemd unit file for apache, you may well take the nginx one, modify it and boom | 11:48 |
ronator | make sure you work in /etc/systemd/system path for such experiments | 11:49 |
Doow | it ships with a systemd file, it just don't have an [install] section. So you can't set it to automatically start from there. | 11:49 |
ronator | mokay let me think a sec | 11:49 |
Doow | there's a setup of glue scripts to let systemd work with it (as mentioned in the bug you linked) | 11:50 |
ronator | [Install] WantedBy=multi-user.target | 11:50 |
ronator | if the install section is missing, systemd does not know at what "runlevel" to start apache! | 11:50 |
ronator | this is the minimum config for that | 11:51 |
ronator | afk 10 minutes - let me know how it goes | 11:52 |
zioproto | hello, if I have to build a container for Horizon Ocata, that is the best Ubuntu distro version ? Should I use Xenial ? | 11:55 |
ronator | zioproto: not sure because ubuntu has a habit of not using bleeding edge software so maybe check what container version (docker.io?) you get there. If you want to use Xenial you should know a bit about systemd I guess. | 12:00 |
Genk1 | Hello | 12:12 |
Genk1 | I have just generated a new SSL certificate | 12:13 |
Genk1 | with default options | 12:13 |
Genk1 | but I am wondering what was the CSR that was used to generate this certificate ? | 12:14 |
Genk1 | I need to inform Dovecot about the CA dir | 12:14 |
Genk1 | But I don't know where it is | 12:15 |
ronator | you are not forced to create a csr e.g. for self-signed certificates - the csr would be needed to let a CA create the certificate, usually you would only create the key | 12:15 |
ronator | (and the CSR for the CA) | 12:15 |
ronator | Genk1: create the KEY: openssl genrsa -out www.someserver.com.key 4096 | 12:17 |
ronator | Genk1: create the CSR: openssl req -new -key ./www.someserver.com.key -sha256 -out www.someserver.com.csr | 12:17 |
Genk1 | ronator, it's already done but Dovecot is asking me the ca dir in the parameter : ssl_client_ca_dir | 12:17 |
ronator | Genk1: wouldnt that bee sth like /etc/ssl ? | 12:19 |
ronator | ssl_client_ca_dir = (''your distribution's trusted TLS CA store (Fedora / CentOS / Redhat uses /etc/pki/tls/ )) | 12:19 |
Genk1 | I have already gave it ssl_client_ca_dir = /etc/ssl/certs | 12:20 |
ronator | could you post the error message? (i guess you reloaded dovecot) | 12:21 |
Genk1 | ronator, OK | 12:22 |
Genk1 | doveadm(email1@ki.localdomain): Fatal: Disconnected from remote: Received invalid SSL certificate: self signed certificate: /C=MA/ST=Casablanca/L=Casablanca/O=KI/OU=IT | 12:22 |
ronator | is that really _your_ certificate? | 12:23 |
ronator | either it does not like the self signed or it complains about the file itsself : invalid certificate | 12:23 |
Genk1 | ronator, Yes it a local certificate | 12:24 |
Genk1 | I will use it in prod also | 12:24 |
ronator | should be not a problem if you can roll out this cert | 12:24 |
ronator | where is the common name of the server? CN? | 12:25 |
ronator | you should enter the CN in the certificate, it should match the hostname | 12:25 |
ronator | i cant see it from here | 12:25 |
ronator | not sure if this causes a disconnect in general | 12:26 |
Genk1 | ronator, you're right, but is it mandatory to have to have this ? | 12:26 |
ronator | well, in terms of webservers, no: if the CN does not match the DNS name, most browsers will complain. not sure about dovecot. i use postfix with no "internal" ssl certificate. | 12:27 |
ronator | but I would try that direction because "invalid ceritificate" sound ambitious | 12:28 |
ronator | you could try to open the certificate with a desktop application - this should quickly tell you if the format is broken | 12:28 |
Genk1 | ronator, I am doing the same thing for postfix and it works like a charm | 12:31 |
ronator | wow | 12:31 |
Genk1 | the problem is with dovecot | 12:31 |
Genk1 | especially dovecot replication | 12:32 |
ronator | the I cannot really help you but doing the same as you would, searching the internet :D | 12:32 |
ronator | maybe there is a dovecot option to allow self signed? I am totally guessing right now. | 12:33 |
Genk1 | ronator, usually I don't came here frist when I have an issue | 12:34 |
Genk1 | I always start by the official documentation | 12:34 |
Genk1 | then google | 12:34 |
Genk1 | then IRC :P | 12:34 |
ronator | no offense, just making my point why I cant help you effectively :) | 12:35 |
Genk1 | ronator, no problem, thank you so much | 12:36 |
ronator | you are welcome | 12:36 |
ronator | @systemd: I found out, if you set KillMode= and KillSignal= , you do not need ExecStop --> http://man7.org/linux/man-pages/man5/systemd.kill.5.html | 13:22 |
ronator | [solved] | 13:22 |
jgrimm | thanks nacc! | 14:12 |
DirtyCajun | /msg NickServ identify matthew1 | 15:01 |
DirtyCajun | thank god that was the wrong pass | 15:01 |
jge | hey all good morning, I'm about to start building some Ubuntu 16.04 LTS servers that are not connected to the internet (intended), my network guys tell me I need to let them know what IP:port I need to reach to allow access.. I'm thinking access to http://us.archive.ubuntu.com is all I need for initial install, packages, security updates etc | 15:12 |
jge | any other URL I'm missing? | 15:13 |
ronator | jge: http/https should be enough - just check /etc/apt/sources.list for default URLs ... | 15:52 |
ronator | or /etc/apr/sources.list.d/* in case ... | 15:53 |
Genk1 | is there a way to log root activity in syslog ? | 15:59 |
=== degorenko is now known as _degorenko|afk | ||
scottjl | like the commands root does? just check their history. | 16:14 |
scottjl | anything root does, they could erase out of syslog, unless you're using an external server | 16:15 |
Genk1 | scottjl, hmm | 16:15 |
Genk1 | well I need such thing in a centralized log server | 16:15 |
scottjl | syslog can be centralized. | 16:15 |
scottjl | but it doesn't log shell commands | 16:15 |
Genk1 | where I check who has executed root commands | 16:16 |
scottjl | http://backdrift.org/logging-bash-history-to-syslog-using-traps | 16:16 |
scottjl | but. if someone is root. they could slip out of things like this. spawning subshells, scripting, etc. | 16:17 |
scottjl | if someone has root access, there are too many ways for them to mask what they are doing | 16:17 |
Genk1 | I see | 16:18 |
scottjl | might be better to have them work thru sudo | 16:18 |
scottjl | and have sudo log everything | 16:18 |
Genk1 | thanks for the link | 16:18 |
scottjl | no problem | 16:18 |
Genk1 | scottjl, that's what I suggested, but you can't change the mind of a whole team | 16:18 |
scottjl | well. if i have root access to your server, i don't care what kind of logging is going on, i can easily mask what i'm doing. | 16:19 |
Genk1 | scottjl, I understand what do you say | 16:20 |
scottjl | so your team has to decide if they really want security, or just the illusion | 16:20 |
Genk1 | it's useless to log root activity | 16:20 |
scottjl | right. i could easily copy in some command i shouldn't be doing to the name of 'ls' or something and run that. reviewing root logs wouldn't show anything strange. or write a script. name it whatever. again. logging doesn't show anything strange. | 16:22 |
scottjl | you can't do that thru sudo. well not as easily. | 16:23 |
scottjl | logging bash commands to an external server will give you some more protection, but doesn't prevent masquerading | 16:24 |
genii | bash log is of no use because a space before any command will prevent it from being logged but still executes | 16:28 |
nacc | jgrimm: yw | 16:31 |
=== ashleyd is now known as ashd | ||
=== ashleyd is now known as ashd | ||
=== ashleyd is now known as ashd | ||
=== logan_ is now known as Guest29589 | ||
=== Guest29589 is now known as logan- | ||
drab | Genk1: at a job I worked at we used a modified shell for that | 18:41 |
drab | Genk1: a common one is "rootsh" | 18:41 |
drab | the other common tool for that is "snoopy" | 18:41 |
drab | and "sniffy" | 18:41 |
drab | it was a while back tho, dunno if those projects are still active/working | 18:42 |
drab | the more modern and possible "correct" way of doing it is using "auditd", which can be configured to track all exec syscalls | 18:43 |
drab | https://www.scip.ch/en/?labs.20150604 has some examples | 18:43 |
drab | and http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html | 18:44 |
drab | altho examples are on RH it should work just fine on ubuntu | 18:44 |
=== zul is now known as zulVacation | ||
ThiagoCMC | Hey guys! With QEmu 2.5 and Libvirt 1.3.1 (Ubuntu 16.04 plus Newton Cloud Archive, just to get new DPDK and new OVS), I was able to run KVM with hugepages and numa placement, like this: | 20:45 |
ThiagoCMC | "<cell id='0' cpus='0-3' memory='8388608' unit='KiB' memAccess='shared'/>" | 20:45 |
ThiagoCMC | Works great! | 20:45 |
ThiagoCMC | However, now, I upgraded it to QEmu 2.8 and Libvirt 2.5 (Ocata Cloud Archive), and my VM is not booting anymore, with the following error: "Error starting domain: unsupported configuration: Shared memory mapping is supported only with hugepages" | 20:45 |
ThiagoCMC | What is happening? | 20:45 |
ThiagoCMC | I had to remove the "memAccess", like this: "<cell id='0' cpus='0-3' memory='8388608' unit='KiB'/>" | 20:46 |
ThiagoCMC | So, the VM booted but, why? | 20:46 |
ThiagoCMC | hugepages are enabled and I don't get why facing that error... :-( | 20:46 |
ThiagoCMC | Any clue? | 20:46 |
nacc | ThiagoCMC: memAccess=shared does not refer to hugepages | 21:06 |
nacc | ThiagoCMC: it just indicates the memory map is shared and not private | 21:06 |
nacc | ThiagoCMC: it sounds like you are missing a <memoryBacking> stanza maybe? | 21:06 |
=== Agent_ is now known as Agent | ||
ThiagoCMC | nacc, here is my Libvirt XML (simple Jinja2) that was working until Ocata Cloud Archive: https://github.com/tmartinx/svauto/blob/dev/ansible/roles/libvirt/templates/virtual-machines/stack-1-pts-1.xml.j2 | 22:03 |
ThiagoCMC | memoryBacking is there... Otherwise, it would not work with previous OVS+DPDK / Libvirt / QEmu... | 22:04 |
ThiagoCMC | If it does not refer to hugepages, why it is complaining that it needs hugepages? | 22:05 |
nacc | ThiagoCMC: i meant, shared on its own does not imply hugepages | 23:10 |
nacc | the memorybacking does | 23:10 |
nacc | ThiagoCMC: is your guest using hugepages (in practice0? | 23:10 |
ThiagoCMC | Previously, yes, for sure, now, I just starting playing with new versions, I'm not 100% yet... | 23:43 |
nacc | ThiagoCMC: ok, well, memAccess=shared only works with hugepages -- so if for some reason your guest isn't bakced by hugepages and you request shared, i think it's an error | 23:46 |
ThiagoCMC | I see, I'll double check that... Thank you! | 23:48 |
nacc | ThiagoCMC: that's just my reading of the libvirt XML spec :) | 23:49 |
nacc | ThiagoCMC: but yeah, why it's not backed by hugepages would be the first thing to check | 23:49 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!